What Is a PCI Attestation of Compliance (AoC)?

  • January 24, 2023

Emily Bonnie

Senior Content Marketing Manager at Secureframe


Marc Rubbinaccio

Manager of Compliance at Secureframe

Businesses that accept card payments must comply with the Payment Card Industry Data Security Standard (PCI DSS). Failure to comply may result in costly security breaches and fines. 

For example, Wawa recently agreed to pay an $8 million settlement to end the investigation into a December 2019 data breach that compromised approximately 34 million payment cards used across all Wawa stores. The investigation uncovered multiple violations of PCI DSS. 

If your business accepts card payments, then you need to prove that you’re PCI compliant to avoid violations and protect your customer data. That’s where a PCI DSS Attestation of Compliance (AoC) comes in.

In this guide, we’ll explain everything you need to know about a PCI AoC and how to obtain one to demonstrate your PCI DSS compliance.

What is a PCI AoC?

A PCI Attestation of Compliance (AoC) is a declaration of an organization’s compliance with PCI DSS. It serves as documented evidence that the organization’s security practices effectively protect against threats to cardholder data.

This document must be completed by a Qualified Security Assessor (QSA) or the business’s merchant. A QSA is an entity that is certified by the PCI Security Standards Council (PCI SSC) — the body that established PCI DSS — to perform PCI DSS audits and determine whether organizations are PCI compliant.

QSAs can also help facilitate your organization’s compliance process, which we’ll describe in greater detail later on.

The Ultimate Guide to PCI DSS

Learn everything you need to know about the requirements, process, and costs of getting PCI certified. 

PCI RoC vs. AoC

A PCI Report on Compliance (RoC), similar to an AoC, is a document issued by a QSA to an organization that must comply with PCI DSS. It describes the organization’s security posture, systems, and effectiveness at securing cardholder data to prove that the organization is PCI compliant.

RoCs differ from AoCs in the comprehensiveness of the QSA’s evaluation. RoCs require a QSA to conduct an audit, reviewing the organization’s process documentation and testing its controls.

To receive an AoC, on the other hand, most organizations only need to complete a self-assessment of their compliance, known as a Self-Assessment Questionnaire (SAQ). This is then reviewed by a QSA to determine the organization’s compliance status with PCI.

However, larger organizations that are already being audited by a QSA for an RoC may not need to fill out an SAQ to also receive their AoC. In other words, passing the RoC assessment is often considered enough for an organization to also receive an AoC.

Whether an organization needs an AoC or RoC (or both) depends on the organization’s compliance level — categories that we’ll describe in the following section.

Who needs an AoC?

Every entity that manages cardholder data needs an AoC and must complete an assessment with a QSA to prove compliance with PCI DSS and receive one. 

That said, whether an organization also needs a RoC depends on its compliance level. As a general rule, organizations that process more debit card and credit card transactions fit into compliance levels with stricter QSA assessment criteria.

PCI compliance levels for merchants and service providers

Let’s take a look at how compliance levels for merchants and service providers are determined as well as the PCI compliance certification requirements for those levels.

PCI Compliance Level 1

  • Transactions: Over 6 million per year
  • Certification requirements: Need both an AoC and RoC

PCI Compliance Level 2

  • Transactions: 1 million-6 million per year
  • Certification requirements: Need an AoC and may need a SAQ and RoC

Merchant Level 3

  • Transactions: 20,000-1 million per year
  • Certification requirements: Need an AoC and SAQ

Merchant Level 4

  • Transactions: Under 20,000 per year
  • Certification requirements: Need an AoC and often need an SAQ

Look back at your organization’s transaction records to determine what compliance level you fit into.

While assessment and certification requirements should remain consistent across credit card brands, it’s important to note that the levels differ slightly by brand

For example, Visa specifies the exact PCI levels above, but Mastercard differs slightly in its specifications for PCI compliance level 1. Level 1 applies not only to merchants that process over 6 million card transactions annually, but also to merchants that suffered a hack or an attack that resulted in an Account Data Compromise (ADC) event. American Express, Discover, and JCB International also define their levels differently.

Consider doing some research into the PCI levels specified by each card brand you accept to minimize your compliance risk.

If you’re still unsure what documents you need to prove compliance with PCI DSS, contact a QSA for assistance.

How to receive an AoC

In order to receive your AoC, there are a few steps to keep in mind, which we outline below.

1. Become PCI compliant

The first (and most obvious) step toward earning your AoC is becoming compliant with PCI DSS.

This will include creating a secure network wherever cardholders input their information, enacting measures to protect that network, applying strict access control measures to protect credit card data, and maintaining a security policy that addresses information security, among other PCI DSS requirements.

2. Determine your compliance level and assessment type

Once you feel confident that your organization is compliant, you can determine your PCI compliance level and prepare for your QSA assessment.

If your organization fits into Merchant Levels 3 or 4 (fewer than 1 million transactions per year), then you need to fill out an SAQ for a QSA to review. There are several different types of SAQs, so be sure to research which one is right for your organization.

If your organization fits into PCI compliance Levels 1 or 2, you may need to fill out an SAQ and/or be audited by a QSA.

3. Schedule and complete your assessment

The SAQ review may be completed in person or virtually, depending on your QSA’s preferences. If they determine from your SAQ that you are PCI DSS compliant, then you will receive your AoC from them.

If your organization’s compliance level warrants a QSA audit, the QSA will evaluate your security posture, systems, and overall compliance with PCI. If they determine that your organization is PCI compliant after their evaluation, they will provide you with an AoC (and most likely an RoC, as well).

Sample Attestation of Compliance document

Once your organization has been deemed PCI compliant, you will be given an AoC. See the sample AoC below to understand the information it should contain.

Painlessly secure your PCI AoC with Secureframe

Becoming PCI compliant is important — but doing so without help is not easy.

The standard requires organizations to adopt over 300 rigorous security controls and a dozen security requirements. This can take significant time and energy, delaying the process of getting evaluated by a QSA and receiving your AoC.

But with Secureframe, achieving PCI compliance doesn’t have to be stressful. Our compliance automation platform cuts hundreds of hours off of the compliance process while helping your organization meet all necessary operational controls and implement security best practices.

To learn more about how you can use our platform to become and remain PCI compliant, request a demo today.