A PCI Report on Compliance (RoC) is an assessment that tests a company’s security controls that protect cardholder data. 

The report details whether your company meets all 12 requirements of the PCI DSS standard and any deficiencies discovered during the assessment. 

However, an RoC is not required for every merchant or service provider. Below, we break down who needs one and how the RoC process works.

Who needs a PCI DSS RoC?

Acquiring banks or payment card brands require, at a minimum, that you complete an annual compliance report and quarterly network scans. 

Depending on what PCI level your business falls under, the compliance report will either be an RoC or a self-assessment questionnaire (SAQ). 

RoCs are required for Level 1 merchants and service providers and potentially Level 2 merchants, depending on credit card brand requirements. 

• Level 1 merchants: 6 million or more transactions per year
• Level 2 merchants: 1 million-6 million transactions per year
• Level 1 service providers: 300,000 or more transactions per year  

Merchants and service providers that do not need an RoC for PCI compliance will complete an SAQ. 

If you’re not sure whether your business needs an RoC or SAQ, you can turn to your acquiring bank for help.

Who can conduct an RoC?

An RoC must be completed by a Qualified Security Advisor (QSA) or an Internal Security Assessor (ISA). 

An ISA is an internal employee who has undergone PCI DSS training. While some organizations use an internal assessor from their staff to complete the RoC, many choose to hire an independent third party. 

The PCI Security Standards Council provides a list of QSAs to help you find one near you. 

What is the RoC process?

QSAs or ISAs use the RoC Reporting Template to create a summary of findings detailing the controls in place and documentation provided during the audit stage. 

After completing an RoC, the assessor will present their findings to the company’s acquiring bank. If the acquirer accepts the RoC, it will be sent on to the payment brands for verification. 

Payment brands set audit frequency, but in general, a Level 1 merchant or service provider will need to undergo a full audit and complete an RoC annually.

RoC sections

An RoC is split into two parts: an assessment overview and a summary of findings. 

• Executive summary: Provides an overview of the report findings related to the security of cardholder data 
• Description of scope and approach taken: Details the network segmentation, payment applications, the PCI DSS version used for the assessment, and the timeframe 
• Details about the reviewed environment: Includes a diagram of each network segment, a description of the cardholder data environment (CDE), service providers, individuals interviewed during the audit, and relevant business documentation
• Contact information and report date: Includes the contact information for the merchant and assessor and the date of report
• Quarterly scan results: A summary of the four most recent quarterly scan results
• Findings and observations: A summary of any findings that may not fit in the standard RoC template, including details on compensating controls

What are the possible RoC results?

There are five possible assessment findings for PCI DSS requirements:

• In place: Testing has been performed and all elements of the requirement are met
• In place with remediation: The requirement was not met at some point during the assessment, but was remediated before the completion of the assessment 
• Not applicable: The requirement does not apply to the organization
• Not tested: The requirement was not included in the assessment and not tested in any way
• Not in place: Some or all elements of the requirement have not been met, are in the process of being implemented, or require further testing

An organization is not considered compliant if there are open items or items to be addressed at a future date. Validation is all or nothing, so all requirements must be met to be considered PCI compliant.

PCI RoC vs. AoC: How are they different?

An RoC is an assessment that determines PCI compliance. An attestation of compliance (AoC) confirms that the RoC is accurate. 

An RoC must be completed prior to an AoC, which is seen as the last step in the compliance process. Both are required to prove compliance with the PCI standard.

Why you should consider completing an RoC

Even if an RoC isn’t required for your business, you might want to consider completing one anyway. 

A completed RoC offers business a variety of benefits that include:

• Assurance: By having an independent third party assess your cardholder data security, you will have the peace of mind knowing that you’re meeting security standards and adequately protecting customer data. 
• Competitive advantage: Businesses that choose to complete an RoC prove to potential and current customers that they’re serious about cardholder data security. 
• Credibility: Ensuring you have a secure cardholder data environment translates to better security practices across the organization. This can lead to fewer data breaches and stronger customer trust.

How Secureframe can help you prepare for an RoC

Not sure if you’re ready to prove compliance with an RoC? 

Secureframe’s team of PCI DSS experts can help get your team and cardholder data environment audit-ready by quickly identifying gaps and assisting with remediation. 

Request a demo today to see how Secureframe can help streamline your audit process.