Find out why Strike Graph is the right choice for your organization. What can you expect?
Find out why Strike Graph is the right choice for your organization. What can you expect?
The AOC is the final hurdle in the PCI DSS process. This post covers everything you need to clear it easily. Explore each section of the AOC, download sample templates, and gain expert tips on leveraging PCI DSS to benefit your organization.
A PCI attestation of compliance (AOC) is a signed, formal document summarizing the results of an organization’s PCI DSS audit. The AOC attests to whether the organization meets the required security standards for handling payment card data. Organizations can provide it to others to promote trust.
The AOC is a concise summary of other key documents that detail the security measures used to meet each PCI DSS requirement. These can include a report on compliance (ROC) or a self-assessment questionnaire (SAQ), depending on your PCI DSS level.
“Completing an AOC is the final step in the entire PCI DSS process,” says Blazej Jedras, Head of IT Governance at Compliance Path, an Ideagen Software Company. “How you reach the AOC stage depends on factors like your PCI DSS level, how you handle card data, and your security history. While there are general guidelines, the card brands have the final say on the documentation they’ll accept.”
While each organization’s PCI process will be different, submitting a PCI AOC is a common requirement for any entity that must be PCI DSS compliant.
Key Takeaways:
Any business or service provider that processes, stores, or transmits credit card data needs a PCI attestation of compliance (AOC). It’s necessary regardless of their size or transaction volume.
The PCI AOC is a standard requirement across all PCI compliance levels. The details depend on your business type and which reporting documentation you use. Ultimately, every organization must submit an AOC to summarize whether it meets its specific compliance requirements.
When people describe a "certification of compliance," they usually mean an attestation of compliance (AOC). The term "certification of compliance" is incorrect. The PCI Security Standards Council doesn’t offer certification. The AOC is the only official document that confirms PCI compliance.
According to Stephen Ferrell, CISA CRISC, and Chief Strategy Officer at Strike Graph, the distinction between an attestation of compliance (AOC) and a "certification of compliance" can be confusing.
"PCI DSS doesn’t technically provide a certification," Ferrell explains. "However, the AOC serves as a kind of certification since it's the final step in the process. A Qualified Security Assessor (QSA) or company executive signs off on the AOC to formally confirm the audit findings are accurate. When people mention 'PCI certification,' they’re usually referring to the process of obtaining an AOC and verifying compliance."
A PCI AOC is a form that merchants and service providers use to confirm their audit results. An ROC (report on compliance) is a detailed report of the audit findings for Level 1 merchants and service providers. For Level 1 entities, the AOC summarizes and verifies the ROC.
A qualified security assessor (QSA) completes the detailed report on compliance (ROC) for Level 1 merchants and service providers to outline how the organization meets PCI DSS requirements. After the audit, the QSA uses the ROC to fill out the shorter, less detailed attestation of compliance (AOC).
Here's a summary of the major differences between an ROC and AOC:
A PCI DSS attestation of compliance includes four sections. The first is basic organizational details. Second is the scope and summary of the PCI assessment. The final two steps are to confirm compliance and address any non-compliance.
The Payment Card Industry Security Standards Council (PCI SSC) publishes specific AOC forms that summarize the reporting documentation organizations use, whether they are completing a report on compliance (ROC) or a self-assessment questionnaire (SAQ).
Level 1 merchants must hire a qualified security assessor (QSA) to conduct an external audit and fill out an ROC. Meanwhile, levels 2-4 merchants complete an SAQ. Each SAQ targets specific business types and payment processing methods. For instance, SAQ-A merchants, who use e-commerce or mail orders and outsource all payment processing, complete a shorter AOC. Because their SAQ requires less information, the AOC also requires less detail. This results in nine types of AOCs for merchants—one for each of the eight SAQs and one for the ROC. Although there are nine different AOCs, most of them, particularly those for SAQs, are very similar in structure and content.
It's important to fill out the AOC that corresponds with your reporting documentation. You can download the AOC for your assessment type from the PCI SSC document library.
Here's a breakdown of the parts and sections in a PCI DSS AOC for merchants:
Part 3a: Merchant Acknowledgment:
The merchant signatory must confirm that they completed the relevant SAQ and will maintain the PCI DSS controls at all times.
Part 3b: Merchant Attestation:
In this section, the merchant executive officer signs the attestation to officially attest that the AOC is accurate.
Part 3c: Qualified Security Assessor (QSA) Acknowledgement
This section provides space for the QSA to describe their role in the assessment process. The QSA must also sign the document to confirm their involvement.
Part 3d: PCI SSC Internal Security Assessor (ISA) Involvement:
If the merchant involved an ISA during the assessment, they must describe what specific roles they performed, like conducting testing procedures or offering additional support.
Section 4: Action Plan for Non-Compliance Requirements
Only merchants who select “non-compliant” in Section 3 must complete Section 4. This section outlines the 12 PCI DSS requirements. Non-compliant merchants must provide a remediation plan for each requirement they fail to meet.
The main difference between the PCI AOC for service providers and merchants is in Part 2, which focuses on scope. Service providers must answer different questions that reflect their broader scope and higher compliance standards. Otherwise, the major categories and parts of the AOC are identical.
The AOCs for merchants and service providers differ slightly based on how each handles credit card data. Service providers face stricter requirements and have only two levels. Level 1 service providers complete an AOC based on an ROC assessment. Level 2 service providers, like Level 2-4 merchants, don’t need an ROC and instead complete an SAQ. All Level 2 service providers fill out an SAQ-D. In contrast, merchants fall into one of eight SAQ types depending on their business model.
Here's a summary of how the AOCs differ for service providers and merchants that fill out the same reporting documentation (ROCs or an SAQ-D):
Parts 1, 3, and 4 are the same.
Part 2 focuses on the scope of the assessment for both merchants and service providers but asks different questions.
To fill out a PCI DSS attestation of compliance, follow these steps:
Here's a list of the steps that every organization must take to complete an AOC:
Download a sample PCI AOC to see what a completed document looks like. This fictional example provides context for AOC categories and helps you understand the types of data needed to complete your own AOC comprehensively.
You can find a sample PCI AOC document in our PCI DSS Compliance Starter Kit.
Strike Graph’s PCI DSS Compliance Starter Kit has everything you need to hit the ground running. It includes AOC templates that help streamline your documentation process. It also features other PCI essentials like a policy template, a compliance checklist, and more.
Download the PCI DSS Compliance Starter Kit
The main benefit of PCI attestation is that it confirms that you protect credit card data according to PCI DSS standards. This compliance lets you work with major card companies, shows your dedication to security, and boosts your reputation as a secure business.
“PCI DSS compliance matters because it is a requirement for doing business with the big credit card companies,” says Michelle Strickler, Information Security and Data Privacy Compliance Strategist at Strike Graph.”
“Demonstrating compliance via an ROC with an AOC or via an SAQ with an AOC has more weight than simply declaring or stating one is compliant. That’s because whoever signs the AOC – whether it’s a QSA for a Level 1 merchant, an executive, or a PCI DSS consultant – is attesting that the compliance assessment is accurate – their signature is on the line.”
Here's a summary of the benefits of attesting to PCI compliance:
Formally attesting PCI compliance with an AOC is the last step in becoming Pci compliant. It verifies that you meet PCI DSS standards and allows you to continue partnering with major credit card companies.
Every merchant and service provider must conduct a new PCI audit annually and submit a new AOC. To pass the assessment, companies must keep up with any PCI requirement changes and consistently uphold security standards.
Jedras says that the specific deadlines for submitting PCI documentation vary by organization.
“The PCI SSC doesn’t mandate when to submit documentation; instead, it’s up to the credit card companies, which all require organizations to submit an AOC every year. In practice, each deadline is based on the organization’s individual compliance cycle, meaning the date they submitted their first PCI compliance documentation.”
Although the PCI SSC does not set deadlines, it does create and distribute the AOC and frequently updates the PCI standards to reflect changing security environments.
“The AOC procedure may change when the PCI SSC updates the standard or other regulations,” explains Ferrell. “That’s why it’s so important for companies to keep up with these developments and modify their compliance initiatives as necessary. Some ways to stay up to date are working with an experienced QSA, going to industry events, and subscribing to PCI SSC updates.”
Most errors in a PCI AOC occur when organizations don't provide complete or accurate responses to the questions. A common challenge is fully understanding the extent of the PCI scope. Sometimes, merchants also complete the wrong self-assessment questionnaire (SAQ).
“One of the biggest mistakes companies make when filling out their AOC is misinterpreting the scope of their assessment,” says Ferrell. “This misunderstanding can lead organizations to select the wrong SAQ, which in turn results in filling out the incorrect AOC. It’s a cascading error that complicates the process and may require starting over.”
He adds: “Failing to account for compensatory controls is another common issue. Compensatory controls are alternative security measures that companies use when they can’t meet a specific PCI requirement in the standard way, and forgetting to document them leaves compliance gaps. It is essential to be exact and comprehensive.”
Here's a summary of the major challenges and errors when filling out an AOC:
Common mistakes made when filling out an AOC include misinterpreting the assessment's scope, recognizing the SAQ type erroneously, or failing to record compensatory controls adequately. It is essential to be exact and comprehensive.
Strike Graph supports you along every step of the PCI DSS process, making compliance easier than ever. With a centralized dashboard, you can easily pull data for SAQs and AOCs. Its proactive compliance monitoring identifies issues before you submit, saving you time and resources.
“Using Strike Graph to maintain and track your PCI compliance pays off along all parts of your PCI DSS process, including filling out documentation like the SAQ and AOC,” says Strickler. “These documents all ask questions that you can easily answer by pulling data from your centralized Strike Graph compliance dashboard and your control library.”
More companies are turning to Strike Graph for compliance. It consolidates multiple frameworks, from SOC 2 to PCI DSS, allowing organizations to track and manage them efficiently. Unlike other compliance software, Strike Graph puts you in the driver’s seat, enabling you to design a personalized compliance program that meets your needs.
As your business grows, so do your compliance needs. Strike Graph handles compliance automation for multiple frameworks simultaneously, allowing you to focus on business growth while we handle the compliance legwork.
Understanding the PCI DSS AOC process can be difficult. Here, you’ll find answers to frequently asked questions to clarify misconceptions and provide essential information on PCI DSS compliance and the AOC.
Yes, you can share your PCI compliance attestation, but be cautious. Sharing your PCI AOC can confirm your compliance status and solidify your reputation. However, it’s essential to limit distribution to partners or stakeholders who need the information.
A PCI attestation of compliance (AOC) is valid for one year. Check with the entity receiving your documentation, typically your acquiring bank or credit card partners, to confirm details and submission requirements.
The PCI Security Standards Council (PCI SSC) provides the AOC templates. Organizations then fill out and sign the AOC. For Level 1 entities, a Qualified Security Assessor (QSA) completes and signs the AOC. Lower-level entities may have a company executive sign it.
The PCI AOC is not fully confidential, but experts recommend handling it with care. Share it only with important business partners.
The AOC signer depends on the organization’s PCI DSS level. It might be a Qualified Security Assessor (QSA), a company executive, or another authorized person. This person confirms that the AOC is accurate and that the organization meets PCI DSS requirements.
You must submit a PCI attestation of compliance every year. The exact timing depends on your organization’s compliance cycle and your acquiring bank or payment partners' requirements. Typically, organizations submit it around the same time each year.
Your acquiring bank or credit card partners need to see the AOC. They also need to see your other documentation, such as a report on compliance (ROC) or self-assessment questionnaire (SAQ). Some organizations also share their AOC with key business partners to verify their compliance.
An attestation of compliance (AOC) is a formal declaration that confirms an organization meets PCI DSS requirements. It "attests" or declares PCI compliance by summarizing the results of a PCI audit or self-assessment and verifying that the organization is compliant.
You submit a PCI attestation of compliance (AOC) to your acquiring bank or payment partners.
The security landscape is ever changing. Sign up for our newsletter to make sure you stay abreast of the latest regulations and requirements.
Strike Graph offers an easy, flexible security compliance solution that scales efficiently with your business needs — from SOC 2 to ISO 27001 to GDPR and beyond.
© 2024 Strike Graph, Inc. All Rights Reserved • Privacy Policy • Terms of Service
Find out why Strike Graph is the right choice for your organization. What can you expect?
Find out why Strike Graph is the right choice for your organization. What can you expect?