PCI DSS compliance helps you demonstrate your commitment to security and indicate to your customers that cardholder data is protected.
When you participate in a PCI DSS audit, your organization’s systems and processes are tested against twelve technical and operational requirements made up of approximately 400 individual controls established by the PCI Security Council to protect cardholder data.
From understanding PCI DSS requirements to knowing exactly how data is stored and transmitted, achieving PCI compliance requires a wealth of knowledge of the payment card industry.
We often hear terms floating around like PCI SAQ, AOC, and PCI ROC, wondering the difference between these concepts and whether you should complete them? You’re not alone, which is good news, and we hope that the information below can clear up any misunderstandings you may have regarding these terms, what they imply, and when you should use them.
A PCI DSS audit has three phases, and the merchant level of your business influences what you need from a PCI DSS audit. Let’s take a look at the differences between the PCI DSS Self-Assessment Questionnaire (SAQ), Attestation of Compliance (AoC), and Report on Compliance (RoC).
What is PCI SAQ (Self-Assessment Questionnaire)?
SAQ stands for Self-Assessment Questionnaire and can be used to assess PCI DSS compliance and cardholder data security. A reporting tool that allows authorized merchants and service providers to document their PCI DSS self-assessment outcomes.
The PCI Self-Assessment Questionnaire (SAQ) consists of two components:
- A series of questions corresponding to PCI DSS requirements. The survey includes a set of yes or no questions for each applicable PCI Data Security Standard requirement. If the response is no, your company may need to set a revision date and take other steps.
- The Attestation of Compliance (AOC) is a document that certifies your company’s PCI DSS compliance. You must attest to compliance by proving that you are eligible and have completed the required Self-Assessment. A relevant Confirmation will be bundled with your chosen survey.
There are some cases where this is sufficient with a simple declaration of compliance. In other cases, the intervention of a PCI council-approved QSA is required. In these cases, the PCI PCI QSA approves the response to the self-assessment performed.
Various PCI SAQs can be employed to satisfy the needs of different merchant environments. You can quickly locate the Self-Assessment Questionnaire that best describes your payment card acceptance process.
If you’re unsure which SAQ applies to you, contact your bank or payment card acquirer for assistance. Upon completion, it is made available to the appropriate acquirer or payment brand, along with the SAQ, AOC, and other requested documentation.
The PCI Self-Assessment Questionnaire (SAQ) is a tool used to document an organization’s self-assessment of its security practices regarding cardholder data.
Multiple SAQs are available; Certain PCI SAQs are used to determine how customers handle credit card transactions. Nine different types of PCI SAQs apply variably to various organizations based on how they process, transmit, and store cardholder data:
- PCI SAQ A
- PCI SAQ A-EP
- PCI SAQ B
- PCI SAQ B-IP
- PCI SAQ C-VT
- PCI SAQ C
- PCI SAQ P2PE
- PCI SAQ D for Merchants
- PCI SAQ D for Service Providers
PCI SAQ surveys help determine which PCI DSS compliance requirements apply to your organization and how your existing systems comply with these security requirements.
Although each of the PCI SAQ types has different goals, you need to evaluate which one is most appropriate for achieving a PCI AoC for your organization.
You can fill out the self-assessment questionnaire by answering yes/no to the questions according to your security systems in PCI SAQ questionnaires. Lower-level card transaction merchants use PCI Self-Assessment Questionnaires (PCI SAQs) to make self-assessments of their PCI compliance.
What is PCI AOC (Attestation of Compliance)?
PCI Attestation of Compliance (AoC) is a certification completed by the Qualified Security Assessor (QSA) that specifies an organization’s PCI DSS compliance status. A PCI AOC (Attestation of Compliance) is documented evidence that an organization supports security best practices to protect cardholder data.
An AoC is a written statement that your organization has completed the valid SAQ or PCI assessment and has been verified by a PCI QSA.
If your organization is a merchant, the SAQ, AoC, and RoC requirements will vary depending on your PCI compliance level. You may determine your compliance level from the four different PCI merchant levels by reading our “PCI Compliance Merchant Levels” article.
Similar to PCI SAQ, there are different versions of AoC that conflict with the version of SAQ. Whichever version of SAQ your organization, is completing can be determined to be useful for your AoC.
PCI AOC is a form used by merchants and service providers to verify PCI DSS assessment results and presented to an acquirer or payment brand along with the appropriate SAQ or ROC and any other requested documentation.
The PCI DSS (Payment Card Industry Data Security Standard) Certification of Compliance (AoC) is a document that serves as a merchant’s statement of compliance with PCI DSS. If the merchant’s internal audit is verifying, the AoC must be completed by a Qualified Security Assessor (QSA) or the merchant.
Assessments result in a Report on Compliance (RoC), Attestation of Compliance (AoC), or both. PCI RoC and AoC are provided annually to the merchant’s credit card acquirer to demonstrate compliance with PCI DSS requirements. The method of proof of eligibility is determined by the merchant level and the requirements of the particular card brand.
Every merchant and service provider that processes credit card data must undergo an assessment to demonstrate compliance with the 12 data security standards of PCI DSS. PCI DSS is a data security standard for businesses that accept major credit card brands.
The PCI DSS mandates that all firms that process, store, or transfer payment card data do so securely. Under the PCI DSS, any merchant who uses a service provider must keep track of that vendor’s PCI compliance.
What is PCI RoC (Report on Compliance)?
A QSA issues a PCI Report on Compliance (RoC) that outlines an organization’s security posture, environment, systems, and cardholder data protection. The PCI RoC was developed through a comprehensive assessment completed by a QSA that included a review of on-site audits and controls.
The PCI requirements to protect credit card information are put to the test in the Report on Compliance (ROC). All Level 1 merchants must have a PCI ROC. PCI Level 1 Merchant is a retailer with more than 6 million transactions per year with Visa or Mastercard.
The required documents at different PCI levels are as follows:
- PCI Level 1 Merchant – ROC and Quarterly External ASV Scans
- PCI Level 2 Merchant – ROC or appropriate SAQ and Quarterly External ASV Scans (depending on card brand requirements)
- PCI Level 3 Merchant – Eligible SAQ and Quarterly External ASV Scans
After testing your controls and obtaining documentation of your processes, and PCI auditor (QSA) creates a summary of findings report that results in a final PCI RoC (Report on Compliance).
The Report on Compliance is a report that documents the detailed results of a PCI DSS assessment. The Qualified Security Assessor (QSA) must complete a PCI ROC after an audit and then presented it to the merchant’s acquirer. After the acquirer accepts the PCI ROC, it sends it to the payment brand for verification.
Each PCI RoC is regulated according to the PCI Security Standards Council’s specifications for a qualified RoC derived from the RoC Reporting Template provided to all PCI QSAs. Standardization of reporting allows your organization to give every stakeholder, customer, or interested party a clear representation of your PCI compliance status.
You can find SAQ, AOC, and ROC documents on the official PCI DSS site document library.