post-img
  • Home >
  • Resources >
  • PCI attestation of compliance (AOC): components, steps, samples, and starter kit
PCI DSS PCI DSS

PCI attestation of compliance (AOC): components, steps, samples, and starter kit

  • copy-link-icon

    Copy URL

  • linkedin-icon

The AOC is the final hurdle in the PCI DSS process. This post covers everything you need to clear it easily. Explore each section of the AOC, download sample templates, and gain expert tips on leveraging PCI DSS to benefit your organization.

What is a PCI attestation of compliance (AOC)?

A PCI attestation of compliance (AOC) is a signed, formal document summarizing the results of an organization’s PCI DSS audit. The AOC attests to whether the organization meets the required security standards for handling payment card data. Organizations can provide it to others to promote trust.

The AOC is a concise summary of other key documents that detail the security measures used to meet each PCI DSS requirement. These can include a report on compliance (ROC) or a self-assessment questionnaire (SAQ), depending on your PCI DSS level.

Blazej Jedras, Head of IT Governance at Compliance Path, an Ideagen Software Company

“Completing an AOC is the final step in the entire PCI DSS process,” says Blazej Jedras, Head of IT Governance at Compliance Path, an Ideagen Software Company. “How you reach the AOC stage depends on factors like your PCI DSS level, how you handle card data, and your security history. While there are general guidelines, the card brands have the final say on the documentation they’ll accept.”


While each organization’s PCI process will be different, submitting a PCI AOC is a common requirement for any entity that must be PCI DSS compliant.

Key Takeaways:

  • A PCI attestation of compliance (AOC) is a concise document that formally attests that a company’s PCI audit results are accurate and that the company is PCI compliant.
  • An AOC sends a strong message to credit card companies and business partners that you take credit card security seriously and are reputable, reliable, and secure.
  • The PCI Security Standards Council (SSC) provides an AOC for each type of reporting documentation, including both the report on compliance (ROC) and the self-assessment questionnaires (SAQs).
  • Every AOC has four sections summarizing the audit results and includes a space for an executive or PCI expert to sign and formally attest to compliance.
  • A common mistake in the PCI AOSC process is misinterpreting the scope or selecting the wrong SAQ.

Who needs a PCI AOC?

Any business or service provider that processes, stores, or transmits credit card data needs a PCI attestation of compliance (AOC). It’s necessary regardless of their size or transaction volume. 

The PCI AOC is a standard requirement across all PCI compliance levels. The details depend on your business type and which reporting documentation you use. Ultimately, every organization must submit an AOC to summarize whether it meets its specific compliance requirements.

What is the difference between attestation of compliance and certification of compliance?

When people describe a "certification of compliance," they usually mean an attestation of compliance (AOC). The term "certification of compliance" is incorrect. The PCI Security Standards Council doesn’t offer certification. The AOC is the only official document that confirms PCI compliance.  

According to Stephen Ferrell, CISA CRISC, and Chief Strategy Officer at Strike Graph, the distinction between an attestation of compliance (AOC) and a "certification of compliance" can be confusing. 

Stephen Ferrell, CISA CRISC, and Chief Strategy Officer at Strike Graph

"PCI DSS doesn’t technically provide a certification," Ferrell explains. "However, the AOC serves as a kind of certification since it's the final step in the process. A Qualified Security Assessor (QSA) or company executive signs off on the AOC to formally confirm the audit findings are accurate. When people mention 'PCI certification,' they’re usually referring to the process of obtaining an AOC and verifying compliance."

What is the difference between PCI AOC vs. PCI ROC?

A PCI AOC is a form that merchants and service providers use to confirm their audit results. An ROC (report on compliance) is a detailed report of the audit findings for Level 1 merchants and service providers. For Level 1 entities, the AOC summarizes and verifies the ROC.

A qualified security assessor (QSA) completes the detailed report on compliance (ROC) for Level 1 merchants and service providers to outline how the organization meets PCI DSS requirements. After the audit, the QSA uses the ROC to fill out the shorter, less detailed attestation of compliance (AOC).

Here's a summary of the major differences between an ROC and AOC:

1. Purpose and who needs it:
  • ROC: The ROC is a comprehensive report of an external PCI audit that tests whether a Level 1 merchant or service provider meets PCI DSS requirements. It outlines how the company uses operational controls to comply with each of the 12 PCI DSS requirements and includes results from security tests like external scans and penetration testing.
  • AOC: Every merchant and service provider must submit an AOC, which is more concise. It summarizes the assessment results and formally declares whether the entity is compliant.

2. Who fills it out:
  • ROC: Only Level 1 merchants and service providers need an ROC to be PCI compliant. However, some Level 2 organizations may need to fill out an ROC if they have a history of a recent data breach. Only an external QSA can fill out an ROC.
  • AOC: Every merchant that wants to be PCI compliant must complete an AOC to summarize the results of their PCI audit. For levels 2-4 merchants, an executive officer, such as a CEO, COO, or CFO, typically signs the AOC.

    For Level 1 merchants and service providers, a QSA signs the AOC.

3. Confidentiality:
  • ROC: Organizations consider an ROC confidential because it contains sensitive information about their credit card security processes and environment.
  • AOC: Some organizations share their AOC with stakeholders to demonstrate their compliance and commitment to PCI DSS and credit card security.

    “Many companies share their AOCs with business partners who need verification that the company is PCI compliant,” Ferrell says. “Since the AOC is a more succinct, codified declaration than an SAQ or ROC, it primarily captures and confirms compliance status without revealing important security details.”

    Ferrell adds: “Although the AOC is not absolutely confidential, organizations should carefully consider who they disclose it to.”
 

Attestation of Compliance (AOC) vs. Report on Compliance (ROC)
Components in a PCI DSS AOC

A PCI DSS attestation of compliance includes four sections. The first is basic organizational details. Second is the scope and summary of the PCI assessment. The final two steps are to confirm compliance and address any non-compliance.

The Payment Card Industry Security Standards Council (PCI SSC) publishes specific AOC forms that summarize the reporting documentation organizations use, whether they are completing a report on compliance (ROC) or a self-assessment questionnaire (SAQ).

Level 1 merchants must hire a qualified security assessor (QSA) to conduct an external audit and fill out an ROC. Meanwhile, levels 2-4 merchants complete an SAQ. Each SAQ targets specific business types and payment processing methods. For instance, SAQ-A merchants, who use e-commerce or mail orders and outsource all payment processing, complete a shorter AOC. Because their SAQ requires less information, the AOC also requires less detail. This results in nine types of AOCs for merchants—one for each of the eight SAQs and one for the ROC.  Although there are nine different AOCs, most of them, particularly those for SAQs, are very similar in structure and content.

It's important to fill out the AOC that corresponds with your reporting documentation. You can download the AOC for your assessment type from the PCI SSC document library.

Here's a breakdown of the parts and sections in a PCI DSS AOC for merchants:

  • Part 1: Contact Information
    This part includes basic information about the organization under assessment, such as its company name and address. It also includes information for all assessors involved in the assessment, if any.


  • Part 2: Executive Summary
    Part 2 has seven or eight sections, depending on the type of assessment:
    • For ROC and SAQ-D assessments, there are seven sections. 
      • Part 2a: Payment channels: The entity lists all payment channels covered by the assessment, such as e-commerce, mail order, or card-present channels. It also asks merchants to describe any payment channels outside the PCI assessment's scope.
      • Part 2b: Description of role with payment cards: The entity describes how it stores, processes, and transmits account data for each payment channel.
      • Part 2c: Description of payment card environment: The entity gives a high-level description of the card environment in PCI scope.
      • Part 2d: In-scope locations: The entity lists all physical locations covered by the assessment.
      • Part 2e: PCI-validated products: The entity lists all the PCI SSC validated products or solutions they use.
      • Part 2f: Third-party service providers: The entity answers questions about third-party service providers and lists all third-party providers along with a description of their services.
      • Part 2g: Summary of assessment: The organization checks a box for each of the twelve PCI DSS requirements to show whether they are compliant

    • For remaining SAQs (SAQ A, SAQ A-EP, SAQ B, SAQ B-IP, SAQ C, SAQ C-VT, SAQ P2PE)
      • These AOCs have eight sections. The first seven sections (2a-2f) are the same as above.
      • Part 2g: Summary of assessment: This section lists only the PCI DSS requirements that the specific entity is subject to, based on its SAQ type. It usually does not include all 12 PCI DSS requirements.
      • Part 2h: Eligibility for specific SAQ: The entity answers several questions to attest that it is eligible to complete a particular SAQ and the associated AOC.

Part 3: PCI DSS Validation and Attestation Details
Section 3 of the AOC for merchants provides a space for the merchants to declare their compliance type. Here’s a summary of the main sections in Section 3:

Compliance status
Entities must declare their compliance status:
  • Compliant: All requirements are either "In Place" or "Not Applicable."
  • Non-Compliant: Some requirements are "Not in Place" and the merchant is non-compliant with PCI DSS.
  • Compliant with Legal Exception: The merchant did not meet one or more requirements because of a legal restriction. This section includes a section where the merchant can list the affected requirements and add more details.

Part 3a: Merchant Acknowledgment:
The merchant signatory must confirm that they completed the relevant SAQ and will maintain the PCI DSS controls at all times. 

Part 3b: Merchant Attestation:
In this section, the merchant executive officer signs the attestation to officially attest that the AOC is accurate.

Part 3c: Qualified Security Assessor (QSA) Acknowledgement
This section provides space for the QSA to describe their role in the assessment process. The QSA must also sign the document to confirm their involvement.

Part 3d: PCI SSC Internal Security Assessor (ISA) Involvement: 
If the merchant involved an ISA during the assessment, they must describe what specific roles they performed, like conducting testing procedures or offering additional support.

Section 4: Action Plan for Non-Compliance Requirements 
Only merchants who select “non-compliant” in Section 3 must complete Section 4. This section outlines the 12 PCI DSS requirements. Non-compliant merchants must provide a remediation plan for each requirement they fail to meet.

Sections of the AOC Form

 

What’s different in PCI AOC for service providers versus merchants?

The main difference between the PCI AOC for service providers and merchants is in Part 2, which focuses on scope. Service providers must answer different questions that reflect their broader scope and higher compliance standards. Otherwise, the major categories and parts of the AOC are identical.

The AOCs for merchants and service providers differ slightly based on how each handles credit card data. Service providers face stricter requirements and have only two levels. Level 1 service providers complete an AOC based on an ROC assessment. Level 2 service providers, like Level 2-4 merchants, don’t need an ROC and instead complete an SAQ. All Level 2 service providers fill out an SAQ-D. In contrast, merchants fall into one of eight SAQ types depending on their business model.

Here's a summary of how the AOCs differ for service providers and merchants that fill out the same reporting documentation (ROCs or an SAQ-D):

Parts 1, 3, and 4 are the same.

Part 2 focuses on the scope of the assessment for both merchants and service providers but asks different questions. 

  • For merchants, Section 2a, titled "Merchant Business Payment Channels," asks merchants to list all payment channels they use that are included in their assessment. It also requests information about payment channels that are not in the scope of the assessment.
  • For service providers, Section 2a, titled "Scope Verification," prompts service providers to identify all services they offer that are in scope. Also, it requires them to provide a list of services not included in the assessment scope.
  • For merchants, Section 2g, titled “Summary of Assessment,” asks the entity to confirm whether they conform to the 12 PCI requirements and Appendix A2.
  • For service providers, Section 2g asks whether they conform to Appendix A1, as well as requirements 1-12 and Appendix A2. Appendix A1 describes additional PCI DSS requirements only applicable to multi-tenant service providers.

To fill out a PCI DSS attestation of compliance, follow these steps:

  • Determine your PCI DSS level 
  • Conduct an internal or external audit 
  • Remediate any issues and complete the required reporting (An ROC or SAQ) 
  • Submit the AOC to attest your compliance

Here's a list of the steps that every organization must take to complete an AOC:

  1. Educate
    Start by identifying your PCI DSS level and determining whether your organization is a merchant or a service provider. Next, your compliance team can familiarize themselves with the specific requirements that apply to your organization. Next, draft a PCI security policy that clearly outlines your compliance strategy.

  2. Audit
    Based on your PCI DSS level, conduct an internal audit or hire an external QSA to perform the audit and see if you are PCI DSS compliant. Use the PC DSS v4.0.1 standard to guide your audit and ensure you are testing your security systems, network configurations, access control procedures, and all the other PCI DSS requirements that ensure you are safeguarding cardholder data. The audit will reveal areas where your business is compliant and where you may fall short.

  3. Assess and report
    Use the audit results to complete an SAQ or ROC. If you are a level 2-4 merchant, ensure you are selecting the right SAQ from the eight options. The correct SAQ depends on your business model and how you handle cardholder data.

  4. Remediate
    If your audit and any risk analysis compliance risks, remediate any vulnerabilities or deficiencies. Then, re-perform the assessment or security tests to confirm you resolved the issue.

  5. Submit AOC
    Complete the AOC form specific to the type of assessment (ROC or one of eight types of SAQ) to certify the results from your assessment and attest that you are PCI DSS compliant.

    Ferrell says that merchants and service providers do not submit their PCI documentation to the PCI SSC. “Instead, organizations submit information like AOCs, ROCs, or SAQs, to their acquiring bank or their payment bands that they partner with,” he says.

    He adds that there is no standard deadline for submitting the AOC. “The date depends on the organization’s specific cycle of compliance, or by any deadlines that their acquiring bank or payment brands established.”

Blog Graphic [steps-to-PCI-aoc_SG blog_Nov_2024]

Sample PCI AOC document

Download a sample PCI AOC to see what a completed document looks like. This fictional example provides context for AOC categories and helps you understand the types of data needed to complete your own AOC comprehensively.

You can find a sample PCI AOC document in our PCI DSS Compliance Starter Kit.

Strike Graph’s PCI DSS Compliance Starter Kit has everything you need to hit the ground running. It includes AOC templates that help streamline your documentation process. It also features other PCI essentials like a policy template, a compliance checklist, and more.

Blog Graphic [PCI DSS starter-kit-graphic]

Download the PCI DSS Compliance Starter Kit

The main benefit of PCI attestation is that it confirms that you protect credit card data according to PCI DSS standards. This compliance lets you work with major card companies, shows your dedication to security, and boosts your reputation as a secure business.

Michelle Strickler, Information Security and Data Privacy Compliance Strategist at Strike Graph“PCI DSS compliance matters because it is a requirement for doing business with the big credit card companies,” says Michelle Strickler, Information Security and Data Privacy Compliance Strategist at Strike Graph.” 

“Demonstrating compliance via an ROC with an AOC or via an SAQ with an AOC has more weight than simply declaring or stating one is compliant. That’s because whoever signs the AOC – whether it’s a QSA for a Level 1 merchant, an executive, or a PCI DSS consultant – is attesting that the compliance assessment is accurate – their signature is on the line.”

Here's a summary of the benefits of attesting to PCI compliance:

  • Completes the formal PCI compliance process 

Formally attesting PCI compliance with an AOC is the last step in becoming Pci compliant. It verifies that you meet PCI DSS standards and allows you to continue partnering with major credit card companies.

  • Boosts your reputation
    “In the grand scheme of things, showcasing an organization's dedication to PCI DSS via an AOC can greatly improve its standing,” says Ferrell. “Demonstrating a serious approach towards data security helps foster trust among business associates and clients.”


    Reduces risk of data breaches
    Compliance with PCI DSS standards helps you implement robust security measures to protect credit card information. Your compliance shows that you actively work to prevent data breaches, such as account data compromise events (ADC) and other security threats.


  • Avoid potential fines and penalties
    PCI compliance helps you avoid potential fines and penalties that you may face if you’re non-compliant.


  • Improves security practices and reveals issues
    Achieving PCI compliance involves reviewing and enhancing your security practices. This continuous improvement helps you stay ahead of emerging threats and ensures that your security measures remain effective. Proactive companies can streamline their PCI DSS compliance efforts by taking a comprehensive and holistic approach to regulatory adherence.

    For example, Ferrell points out that many companies use their PCI DSS compliance evidence to comply with NIST or ISO 27001 frameworks.

    “The core security concepts frequently coincide in these frameworks, even though the exact requirements may differ,” he explains. “With this integrated approach, an organization can streamline their overall compliance processes to create a more robust security program.”

 

How to renew and maintain an AOC

Every merchant and service provider must conduct a new PCI audit annually and submit a new AOC. To pass the assessment, companies must keep up with any PCI requirement changes and consistently uphold security standards.

Jedras says that the specific deadlines for submitting PCI documentation vary by organization.

“The PCI SSC doesn’t mandate when to submit documentation; instead, it’s up to the credit card companies, which all require organizations to submit an AOC every year. In practice, each deadline is based on the organization’s individual compliance cycle, meaning the date they submitted their first PCI compliance documentation.”

Although the PCI SSC does not set deadlines, it does create and distribute the AOC and frequently updates the PCI standards to reflect changing security environments. 

“The AOC procedure may change when the PCI SSC updates the standard or other regulations,” explains Ferrell. “That’s why it’s so important for companies to keep up with these developments and modify their compliance initiatives as necessary. Some ways to stay up to date are working with an experienced QSA, going to industry events, and subscribing to PCI SSC updates.”

Most errors in a PCI AOC occur when organizations don't provide complete or accurate responses to the questions. A common challenge is fully understanding the extent of the PCI scope. Sometimes, merchants also complete the wrong self-assessment questionnaire (SAQ).

“One of the biggest mistakes companies make when filling out their AOC is misinterpreting the scope of their assessment,” says Ferrell. “This misunderstanding can lead organizations to select the wrong SAQ, which in turn results in filling out the incorrect AOC. It’s a cascading error that complicates the process and may require starting over.”

He adds: “Failing to account for compensatory controls is another common issue. Compensatory controls are alternative security measures that companies use when they can’t meet a specific PCI requirement in the standard way, and forgetting to document them leaves compliance gaps. It is essential to be exact and comprehensive.”

Here's a summary of the major challenges and errors when filling out an AOC:

Common mistakes made when filling out an AOC include misinterpreting the assessment's scope, recognizing the SAQ type erroneously, or failing to record compensatory controls adequately. It is essential to be exact and comprehensive.

  • Misinterpreting the scope
    It’s up to the organization to clearly define their PCI scope, or the systems, people, and processes that interact with cardholder data and are subject to PCI DSS security requirements.

    “Many organizations struggle to clearly define the scope of their PCI assessment, which can lead to problems during external audits or internal self-assessments,” Jedras says. “Since the AOC relies on the results of these audits, any issues can lead to inaccurate or incomplete answers on the AOC.”

    A related challenge is answering questions on the AOC about which systems the organization operates outside the PCI scope. If an organization misidentifies its in-scope systems, it will also likely misunderstand its out-of-scope systems.

  • Failing to record compensatory controls
    PCI DSS requires specific security measures, but when an organization can't implement a control exactly as described, it can use a compensatory control that meets the same security objectives. One of the most common errors is failing to document these compensatory controls on the AOC. Compliance auditors need to see what alternative measures you’re taking to protect cardholder data.

  • Completing the incorrect SAQ
    There are eight types of SAQs depending on how an organization processes and stores cardholder data. The PCI SSC publishes a specific AOC that corresponds with each SAQ. So, if a merchant or service provider selects the wrong SAQ, they automatically will complete the incorrect AOC and may provide irrelevant information. It’s important to pick the right SAQ to ensure the AOC reflects the organization’s true compliance status.

  • Overlooking updates and changes to PCI DSS
    The PCI SSC regularly updates the PCI DSS to address emerging threats and technologies. Organizations that overlook changes or fail to update their practices to align with the latest version of PCI DSS, which may mean that they don’t perform a comprehensive assessment that tests for all the requirements.

 

How Strike Graph can simplify your PCI AOC process and certification

Strike Graph supports you along every step of the PCI DSS process, making compliance easier than ever. With a centralized dashboard, you can easily pull data for SAQs and AOCs. Its proactive compliance monitoring identifies issues before you submit, saving you time and resources.

“Using Strike Graph to maintain and track your PCI compliance pays off along all parts of your PCI DSS process, including filling out documentation like the SAQ and AOC,” says Strickler. “These documents all ask questions that you can easily answer by pulling data from your centralized Strike Graph compliance dashboard and your control library.”

More companies are turning to Strike Graph for compliance. It consolidates multiple frameworks, from SOC 2 to PCI DSS, allowing organizations to track and manage them efficiently. Unlike other compliance software, Strike Graph puts you in the driver’s seat, enabling you to design a personalized compliance program that meets your needs.

As your business grows, so do your compliance needs. Strike Graph handles compliance automation for multiple frameworks simultaneously, allowing you to focus on business growth while we handle the compliance legwork.

PCI DSS Attestation FAQs

Understanding the PCI DSS AOC process can be difficult. Here, you’ll find answers to frequently asked questions to clarify misconceptions and provide essential information on PCI DSS compliance and the AOC.

Can you share your PCI compliance attestation?

Yes, you can share your PCI compliance attestation, but be cautious. Sharing your PCI AOC can confirm your compliance status and solidify your reputation. However, it’s essential to limit distribution to partners or stakeholders who need the information.

How long is a PCI attestation of compliance valid?

A PCI attestation of compliance (AOC) is valid for one year. Check with the entity receiving your documentation, typically your acquiring bank or credit card partners, to confirm details and submission requirements.

Who issues a PCI AOC?

The PCI Security Standards Council (PCI SSC) provides the AOC templates. Organizations then fill out and sign the AOC. For Level 1 entities, a Qualified Security Assessor (QSA) completes and signs the AOC. Lower-level entities may have a company executive sign it.

Is PCI AOC confidential?

The PCI AOC is not fully confidential, but experts recommend handling it with care. Share it only with important business partners.

Who signs a PCI AOC?

The AOC signer depends on the organization’s PCI DSS level. It might be a Qualified Security Assessor (QSA), a company executive, or another authorized person. This person confirms that the AOC is accurate and that the organization meets PCI DSS requirements.

How frequently must you submit a PCI attestation of compliance?

You must submit a PCI attestation of compliance every year. The exact timing depends on your organization’s compliance cycle and your acquiring bank or payment partners' requirements. Typically, organizations submit it around the same time each year.
 

Who needs to see the AOC?

Your acquiring bank or credit card partners need to see the AOC. They also need to see your other documentation, such as a report on compliance (ROC) or self-assessment questionnaire (SAQ). Some organizations also share their AOC with key business partners to verify their compliance.
 

What does attestation of compliance mean?

An attestation of compliance (AOC) is a formal declaration that confirms an organization meets PCI DSS requirements. It "attests" or declares PCI compliance by summarizing the results of a PCI audit or self-assessment and verifying that the organization is compliant.
 

Who do you submit a PCI Attestation of Compliance to?

You submit a PCI attestation of compliance (AOC) to your acquiring bank or payment partners.

Keep up to date with Strike Graph.

The security landscape is ever changing. Sign up for our newsletter to make sure you stay abreast of the latest regulations and requirements.