PCI Compliance

The Intricacies of ROC and AOC in PCI Compliance: Definitions, Differences, & Requirements

By Dr. Rey Leclerc Sveinsson, ERMProtect, Information Security Consultant

A happy day for retailers is the day they receive arcane-sounding documents called a “ROC” and an “AOC.” In basic terms, these documents certify that the retailer is complying with robust IT security standards designed to protect the confidentiality of credit card holder data.

Keeping this high-value data out of the hands of hackers is no easy task. That is why many years ago, the major credit card brands created the Payment Card Industry Data Security Standards (PCI DSS), which specifies security controls that must be in place at businesses that process, transmit or store credit card information.

In short, businesses that transmit, process, or store credit card information must be PCI compliant.

That brings us back to ROCs (Report on Compliance) and AOCs (Attestation of Compliance). Businesses must certify their PCI compliance in one - or sometimes both - of these documents, if they want to continue using credit cards and avoid fines by the major brands such as Master Card, American Express, Visa, etc.

So, what are these pivotal PCI compliance documents and how are they different? Read on to learn the vital roles each plays in addressing requirements of entities involved in payment processing.

What is a Report on Compliance (ROC)?

A Report on Compliance (ROC) is an extensive document that provides a detailed account of  an organization's adherence to the PCI DSS requirements. The ROC document is prepared by cybersecurity professionals trained in information security and certified in PCI compliance by the PCI Data Security Council.

ROC Template

ROC Template from the PCI Security Standards Council

These professionals are called Qualified Security Assessors (QSA) or an Internal Security Assessors (ISA). They review and document security controls in place, then fill out the ROC to verify that the entity is in full compliance with all applicable PCI DSS standards. A list of companies certified to perform QSA assessments can be found here.

Content of an ROC

The ROC includes detailed findings from the PCI DSS assessment, which covers:

  • The scope of the assessment, detailing the environments and systems that were reviewed.
  • A description of the methodologies used during the assessment.
  • Detailed findings for each PCI DSS requirement, indicating whether the organization meets or does not meet these requirements.
  • Evidence supporting the assessment findings, such as configurations, screenshots, and policies.

A ROC is typically required for entities that handle large volumes of transactions, specifically those designated as Level 1 merchants or service providers. These are generally defined as merchants processing over 6 million transactions per year, or service providers handling over 300,000 transactions annually.

What is an Attestation of Compliance (AOC)?

The Attestation of Compliance (AOC) is a formal statement or declaration that an entity complies with the PCI DSS. It is a shorter document compared to the ROC and is used to attest that an entity has completed required assessments and met PCI DSS requirements.

AOC Checklist

Content of an AOC

The AOC includes:

  • Identification of the entity being assessed.
  • Details about the scope of the assessment.
  • Confirmation from the assessor that the assessment was conducted according to PCI DSS standards.
  • A declaration of the results of the compliance assessment, stating whether the entity is compliant, partially compliant, or non-compliant.

The AOC serves as proof of compliance and is often required by acquirers, banks, or other partners to establish business relationships in the payment industry.

Differences Between ROC and AOC

While both documents are related to PCI DSS compliance, they serve different purposes and are used in different contexts:

  • Purpose: The ROC provides a detailed technical review and documentation of compliance with each PCI DSS requirement. In contrast, the AOC is a summary certification used primarily as proof of compliance for external parties.
  • Who prepares it? The ROC is prepared by a QSA or an ISA, providing an external or internal validation of compliance. The AOC can be completed by the organization itself for self-assessment purposes in certain cases
  • Detail level: The ROC is a more detailed document that includes specific findings and evidence from the compliance assessment. The AOC is more of a summary document that confirms overall compliance status without going into detail.

Who Needs These PCI Compliance Documents?

  • ROC: Required by all Level 1 merchants and service providers as defined by PCI DSS. This includes entities processing over 6 million transactions per year or service providers handling over 300,000 transactions annually.
  • AOC: Needed by all entities that must validate compliance with PCI DSS, regardless of size. This includes not only Level 1 entities but also smaller merchants and service providers who may assess their own compliance by filling out a Self-Assessment Questionnaire (SAQ) and generate an AOC to attest to their compliance.

Updates in PCI DSS 4.0 Affecting ROC and AOC

The recent transition from PCI DSS 3.2.1 to PCI DSS 4.0 brings several updates and new requirements, but the fundamental concepts and requirements surrounding the Report on Compliance (ROC) and Attestation of Compliance (AOC) remain largely consistent. However, there are enhancements and clarifications to adapt to the evolving security landscape and technological advancements. Here's how these changes may affect ROC and AOC documents under PCI DSS 4.0:

  1. Enhanced Flexibility and Customization: PCI DSS 4.0 introduces more flexibility for organizations to meet security requirements through customized approaches. This means that the ROC will need to document not only whether standard controls are in place but also how customized controls meet the security objectives of the standard. This could lead to a more detailed and nuanced ROC as organizations leverage different methods to achieve compliance.
  2. Greater Detail in Documentation: With the shift toward more customized solutions, QSAs will need to provide more detailed justifications in the ROC about how the implemented controls provide effective security, even if they deviate from traditional methods. The AOC will still serve as a summary affirmation of compliance, but it might reference more complex underlying assessments in the ROC.
  3. Increased Emphasis on Continuous Security Monitoring: PCI DSS 4.0 puts a stronger emphasis on continuous monitoring and testing of security controls. This ongoing process may influence the content of the ROC, requiring it to include details about the mechanisms in place for continuous monitoring and improvement. Compliance validation, and by extension the AOC, may also need to reflect this continuous compliance stance.
  4. Broader Scope for Encryption and Authentication: With updated requirements on encryption and multifactor authentication extending to all users accessing the cardholder data environment (not just those accessing it remotely), the ROC documentation will need to cover these broader implementations. The AOC will need to affirm compliance with these expanded requirements.

Wrapping Up ROCs and AOCs

The ROC and AOC are integral to the PCI DSS compliance process, ensuring that entities involved in payment processing meet stringent security standards. Understanding the nuances between these documents and their respective requirements helps organizations navigate PCI compliance more effectively, ensuring the security of cardholder data and maintaining trust within the payment ecosystem.

As the digital payment landscape continues to evolve, staying diligent in these compliance efforts is more important than ever.

PCI Compliance With ERMProtect

Compliance with the PCI standards helps companies protect themselves against data breaches and lessen their consequences if they occur. This is where ERMProtect can help. At ERMProtect, we have practical experience in application security, information systems security, network security, IT security auditing, and information security risk assessments. Our experience will expedite the certification process.

We are a certified PCI compliance company. Our professionals include several certified QSAs who can perform PCI QSA compliance assessments. They possess one or more industry-recognized professional certifications in Information Security such as:

  • Certified Information System Security Professional (CISSP
  • Certified Information Security Manager (CISM)
  • Information Systems Auditor (CISA)

These designations demonstrate a commitment to professional standards and continuing education that keeps him or her at the forefront of an ever-changing security landscape.

With the right tools, careful planning and knowledge of the requirements, companies can set themselves up to not only follow the rules, but to even provide additional security around their customers’ payment data. We are here to assist

For more information or a free consultation, please contact Judy Miller at [email protected], [email protected] or call 305-447-6750.


Subscribe to Our Weekly Newsletter

Intelligence and Insights

How Merchants Can Become PCI-DSS Certified

Follow These 4 Steps to Achieve PCI DSS Certification

For all organizations that process payment cards, the Payment Card Industry Data Security Standard (PCI-DSS) certification is high up the data security and compliance priority list …
ai in penetration testing

How Will AI Change Penetration Testing?

There’s a strong application of AI in penetration testing on the horizon, but the future of penetration testing will be a hybrid approach of human brain & AI …
Vetoes Cybersecurity “Safe Harbor” Bill

Florida Governor Vetoes Cybersecurity “Safe Harbor” Bill

Florida Governor Ron DeSantis vetoed HB 473, a bill that would have extended “safe harbor” from data breach litigation to businesses compliant with certain industry-recognized cybersecurity standards …