From basics to best practices: Your ultimate guide to PCI DSS Attestation of Compliance (AoC)

What is PCI DSS Attestation of Compliance, and how do you obtain it? This mandatory verification for entities handling card transactions demonstrates your compliance with the PCI DSS standards. 

In this blog post, we’ll walk you through the essentials of PCI DSS attestation—from the initial steps to achieving and maintaining compliance—helping safeguard your customer transactions and instill trust.

Key takeaways

• An Attestation of Compliance (AoC) is a formal document that verifies a company’s adherence to the PCI DSS requirements for securing cardholder data, and it’s distinct from the Report on Compliance (RoC), which provides a more detailed audit by a QSA.
• All entities that store, process, or transmit cardholder data, regardless of size or transaction volume, must achieve PCI DSS compliance and can be classified into different levels (Levels 1-4) based on their annual volume of transactions.
• Maintaining PCI DSS compliance is not a one-time event but an ongoing commitment that includes periodic risk assessments, regular employee training, and implementation of continuous security measures; the AoC itself is valid for one year and then must be renewed.

What is a PCI Attestation of Compliance?

The PCI Attestation of Compliance (AoC) is a document that validates an organization’s adherence to PCI DSS while safeguarding cardholder data. It is awarded to an organization when it has effectively demonstrated compliance with PCI DSS requirements, as defined by the PCI SSC. 

An AoC not only serves as evidence of compliance but also displays a business’s dedication to maintaining secure payment environments and safeguarding sensitive cardholder information. This commitment to security is crucial for businesses that handle both credit and debit card payments, as it helps protect their reputation and customer data.

A Level 1 merchant or service provider must engage a Qualified Security Assessor (QSA) to attain an AoC. A QSA holds certification to evaluate PCI compliance for businesses that accept card payments. The AoC document must provide detailed information that validates an organization’s compliance with all relevant PCI DSS requirements, further ensuring the security of cardholder data.

Ultimately, the AoC validates that a company has successfully implemented the necessary security measures and controls to comply with PCI DSS, thereby protecting cardholder information from misuse during credit card transactions.

Attestation of Compliance (AoC) vs. Report on Compliance (RoC)

While both the Attestation of Compliance (AoC) and Report on Compliance (RoC) play a role in the PCI compliance process, they serve different purposes. The AoC is a document that affirms a company’s compliance with PCI DSS, whereas the RoC is a more comprehensive audit report conducted by a Qualified Security Assessor (QSA). The AoC is essentially a boiled-down version of the RoC and is publicly available, whereas the RoC has too much detail about the company environment and should never be shared with clients or other third parties.

A key distinction in PCI compliance is that the Report on Compliance (RoC) can only be completed by Qualified Security Assessors (QSAs) after a comprehensive audit of an organization’s security posture and controls. However, the Attestation of Compliance (AoC) is issued for all merchant levels (1-4), regardless of the assessment type—be it SAQ or RoC. For Level 1 merchants, the QSA completes both the RoC and the AoC. For Levels 2-4 merchants, if they choose to have a third party complete the Self-Assessment Questionnaire (SAQ), they will also receive a signed AoC from the QSA or an approved third party.

The RoC validates a merchant’s adherence to PCI DSS and the safeguarding of cardholder data against fraudulent activities and other forms of misuse. Thus, while the AoC serves as a statement of a company’s compliance, the RoC provides a deeper look into an organization’s compliance with PCI DSS requirements.

QSAs are integral to the PCI compliance process, as they guide organizations through the required steps and confirm their compliance with the standards. Therefore, working with a QSA can be a critical step in achieving PCI DSS Attestation of Compliance.

Who needs to obtain an Attestation of Compliance?

The requirement to obtain an Attestation of Compliance is not limited to any specific industry or business size. Entities that handle cardholder data, including merchants and service providers, are required to secure an AoC as proof of their compliance with PCI DSS standards. In other words, if your business involves storing, transmitting, or processing card payments, you are expected to adhere to these standards to ensure the secure handling of cardholder data.

Large enterprises undergoing a QSA audit to produce a Report on Compliance (RoC) often find that successfully completing this assessment is generally considered adequate for the organization to also receive an Attestation of Compliance (AoC).

The complexity of the compliance process and the specific requirements that need to be met can vary significantly depending on the type of business. For instance, merchants and service providers are categorized into different compliance levels based on the annual volume of transactions they process. Hence, comprehending the nature and scale of your business is an essential initial step towards PCI compliance.

Merchants and Service Providers

Within the realm of PCI DSS, merchants are defined by their annual transaction volume, while service providers are considered to be any business entity that facilitates the transmission, storage, or processing of payment card data. As the volume of transactions a merchant or service provider processes increases, so does the stringency of the assessment criteria and methodology. The four levels are:

Level 1

Service providers or merchants that process over 6 million card transactions annually.

Level 2

Service providers or merchants that process 1 to 6 million transactions annually.

Level 3

Service providers or merchants that process 20,000 to 1 million transactions annually.

Level 4

Service providers or merchants that process fewer than 20,000 transactions annually.

Determining your PCI compliance level is a crucial step in understanding your organization’s specific requirements and the assessment process.

---

---

How long is an Attestation of Compliance valid?

Once obtained, the Attestation of Compliance remains valid for a period of one year from the date of the auditor’s sign-off. This implies that PCI compliance for an organization is not a one-off accomplishment but a continuous commitment requiring annual renewal. The renewal process entails refilling the questionnaire and renewing the compliance, a required step to show sustained compliance with the PCI DSS.

Upon the expiration of the Attestation of Compliance (AOC), organizations are required to go through a renewal process for their PCI compliance. This involves completing the relevant audit for their level again to reaffirm their organization’s adherence to the necessary requirements.

 This requirement underscores the importance of maintaining PCI compliance as an ongoing commitment rather than a one-time achievement. Keeping up with the latest PCI DSS requirements and regularly checking for any updates or changes is therefore crucial for any organization handling cardholder data.

Steps to achieve PCI DSS Attestation of Compliance

Obtaining PCI DSS Attestation of Compliance necessitates an organization to adhere to a sequence of steps. The initial procedures involve:

1. Determining the organization’s PCI level
2. Mapping the flow of cardholder data
3. Completing the Self-Assessment Questionnaire (SAQ) or Level 1 audit (RoC)
4. Fulfilling the requirements established by the Payment Card Industry Security Standards Council

While this process might appear overwhelming initially, it can be effectively managed with appropriate guidance and resources.

One crucial resource during this process is a Qualified Security Assessor (QSA). A QSA conducts PCI DSS assessments on organizations to evaluate their adherence to the PCI DSS requirements. Working with a QSA can provide valuable insights and guidance that can help streamline the compliance process.

After the initial procedures are completed, organizations (or their third-party auditor) must then fulfill the Self-Assessment Questionnaire (SAQ) to prove compliance for PCI DSS Attestation of Compliance.

The final step involves submitting the AoC and RoC, which serve as evidence of an organization’s compliance with the PCI DSS requirements.

Becoming PCI compliant

The journey towards obtaining an Attestation of Compliance begins with becoming PCI compliant, which entails the implementation of security measures, access controls, and comprehensive information security policies. 

Some of the security measures necessary for PCI compliance include proper firewall configuration, strong passwords and access controls, and regular testing of security systems.

These policies should encompass establishing a secure network and implementing measures to safeguard it, enforcing stringent access control measures to protect credit card data, and upholding an active and current security policy.

Working with a Qualified Security Assessor

A Qualified Security Assessor (QSA) can offer substantial assistance throughout the PCI compliance process. QSAs are independent security organizations authorized by the PCI Security Standards Council to evaluate compliance with the PCI DSS standards. 

When selecting a suitable QSA, organizations should refer to the PCI Security Standards website to identify a listed and suitable PCI QSA. It’s also advisable to verify that the QSA’s name and certifications are clearly stated on any contract to facilitate the comparison of proposals.

Completing the Self-Assessment Questionnaire (SAQ) and the Report on Compliance (RoC)

The Self-Assessment Questionnaire (SAQ) is an essential tool for evaluating an organization’s compliance with the 12 PCI DSS requirements. There are different categories of SAQs, such as A, A-EP, B, B-IP, C-VT, C, P2PE, and D. 

Each SAQ is designed to address specific environments, and the SAQ addresses specific areas of PCI DSS compliance in accordance with the requirements outlined in the PCI DSS. Therefore, completing the SAQ is a crucial step in the process of achieving PCI DSS Attestation of Compliance.

Submitting the Attestation of Compliance

The last step in proving PCI compliance is submitting the Attestation of Compliance to pertinent parties like clients and, if the client is registered to be listed on banking websites, banks and credit card companies. The procedure for submitting the Attestation of Compliance entails the completion of the document by a Qualified Security Assessor (QSA). This document serves as a testimony of the organization’s compliance with PCI DSS standards.

Once the AoC is completed, it should be provided to the pertinent parties. These may include entities that necessitate evidence of adherence to laws, regulations, contracts, and the PCI DSS framework, such as financial institutions and credit card companies affiliated with the merchant or service provider.

Resources and support for achieving PCI compliance

To learn more about PCI DSS compliance, check out these useful posts:

• PCI DSS compliance checklist: The 12 requirements
• Consequences of non-compliance: Uncovering PCI DSS fines and penalties
• Understanding PCI DSS encryption requirements in 2023

Foster trust through PCI DSS compliance with Thoropass

PCI Data Security Standards (PCI DSS) is required for any businesses that process, store, or transmit credit cards and is enforced by the Card Brands and Acquiring Banks. Thoropass streamlines and accelerates your certification by combining automation with self-assessment support and expert insights. Get certified faster with less work and headaches.

Oro provides content designed to educate and help audiences on their compliance journey.

---