What Is a PCI Attestation of Compliance (AoC)?

What Is a PCI Attestation of Compliance (AoC)?

  • May 17, 2022

It’s a well-known fact in the world of compliance that businesses that accept card payments must comply with PCI DSS.

If this describes you, you may be wondering how to prove that you’re PCI compliant. That’s where a PCI Attestation of Compliance (AoC) comes in.

In this guide, we’ll explain everything you need to know about a PCI AoC and how to obtain one to demonstrate your compliance with PCI DSS.

What is a PCI AoC?

A PCI Attestation of Compliance (AoC) is a declaration of an organization’s compliance with PCI DSS. It serves as documented evidence that the organization’s security practices effectively protect against threats to cardholder data.

This document must be completed by a Qualified Security Assessor (QSA) or the business’s merchant. A QSA is an entity that is certified by the Payment Card Industry Security Standards Council (PCI SSC) — the body that established PCI DSS — to perform PCI DSS audits and determine whether organizations are PCI compliant.

QSAs can also help facilitate your organization’s compliance process, which we’ll describe in greater detail later on.

ebook-logo

The Ultimate Guide to PCI DSS

Learn everything you need to know about the requirements, process, and costs of getting PCI certified. 

Download ebook

PCI RoC vs. AoC

A PCI Report on Compliance (RoC), similar to an AoC, is a document issued by a QSA to an organization that must comply with PCI DSS. It describes the organization’s security posture, systems, and effectiveness at securing cardholder data to prove that the organization is PCI compliant.

RoCs differ from AoCs in the comprehensiveness of the QSA’s evaluation. RoCs require a QSA to conduct an audit, reviewing the organization’s process documentation and testing its controls.

To receive an AoC, on the other hand, most organizations only need to complete a self-assessment of their compliance, known as a Self-Assessment Questionnaire (SAQ). This is then reviewed by a QSA to determine the organization’s compliance status with PCI.

However, larger organizations that are already being audited by a QSA for an RoC may not need to fill out an SAQ to also receive their AoC. In other words, passing the RoC assessment is often considered enough for an organization to also receive an AoC.

Whether an organization needs an AoC or RoC (or both) depends on the organization’s compliance level — categories that we’ll describe in the following section.

Who needs an AoC?

Every entity that manages cardholder data needs an AoC and must complete an assessment with a QSA to prove compliance with PCI DSS and receive one. 

That said, whether an organization also needs a RoC depends on its compliance level. As a general rule, organizations that process more card transactions fit into compliance levels with stricter QSA assessment criteria.

PCI compliance levels for merchants and service providers

Let’s take a look at how compliance levels for merchants and service providers are determined as well as the PCI compliance certification requirements for those levels.

PCI Compliance Level 1

  • Transactions: Over 6 million per year
  • Certification requirements: Need both an AoC and RoC

PCI Compliance Level 2

  • Transactions: 1 million-6 million per year
  • Certification requirements: Need an AoC and may need a SAQ and RoC

Merchant Level 3

  • Transactions: 20,000-1 million per year
  • Certification requirements: Need an AoC and SAQ

Merchant Level 4

  • Transactions: Under 20,000 per year
  • Certification requirements: Need an AoC and often need an SAQ

Look back at your organization’s transaction records to determine what compliance level you fit into.

While assessment and certification requirements should remain consistent across credit card brands, it’s important to note that the levels differ slightly by brand. Consider doing some research into the levels specified by each card brand you accept to minimize your compliance risk.

If you’re still unsure what documents you need to prove compliance with PCI DSS, contact a QSA for assistance.

How to receive an AoC

In order to receive your AoC, there are a few steps to keep in mind, which we outline below.

Become PCI compliant

The first (and most obvious) step toward earning your AoC is becoming compliant with PCI DSS. This will include creating a secure network wherever cardholders input their information, enacting measures to protect that network, and applying strict access control measures to protect cardholder data among other requirements.

Determine your compliance level and assessment type

Once you feel confident that your organization is compliant, you can determine your PCI compliance level and prepare for your QSA assessment.

If your organization fits into Merchant Levels 3 or 4 (fewer than 1 million transactions per year), then you need to fill out an SAQ for a QSA to review. There are several different types of SAQs, so be sure to research which one is right for your organization.

If your organization fits into PCI compliance Levels 1 or 2, you may need to fill out an SAQ and/or be audited by a QSA.

Schedule and complete your assessment

The SAQ review may be completed in person or virtually, depending on your QSA’s preferences. If they determine from your SAQ that you are PCI compliant, then you will receive your AoC from them.

If your organization’s compliance level warrants a QSA audit, the QSA will evaluate your security posture, systems, and overall compliance with PCI. If they determine that your organization is PCI compliant after their evaluation, they will provide you with an AoC (and most likely an RoC, as well).

Sample Attestation of Compliance document

Once your organization has been deemed PCI compliant, you will be given an AoC. See the sample AoC below to understand the information it should contain.

Painlessly secure your PCI AoC with Secureframe

Becoming PCI compliant without help is no easy task.

The standard requires organizations to adopt over 300 rigorous security controls and a dozen security requirements. This can take significant time and energy, delaying the process of getting evaluated by a QSA and receiving your AoC.

But with Secureframe, achieving PCI compliance doesn’t have to be stressful. Our compliance automation platform cuts hundreds of hours off of the compliance process while helping your organization meet all necessary operational controls.

To learn more about how you can use our platform to become and remain PCI compliant, request a demo today.

Become a security expert

Get the latest articles on startup security and compliance best practices delivered straight to your inbox.

Get a Secureframe demo
subscription-logo