
PCI SAQs: Which Self-Assessment Questionnaire Is Right for Your Business?
Read articleA PCI Report on Compliance (RoC) is an assessment that tests a company’s security controls that protect cardholder data.
The report details whether your company meets all 12 requirements of the PCI DSS standard and any deficiencies discovered during the assessment.
However, an RoC is not required for every merchant or service provider. Below, we break down who needs one and how the RoC process works.
Acquiring banks or payment card brands require, at a minimum, that you complete an annual compliance report and quarterly network scans.
Depending on what PCI level your business falls under, the compliance report will either be an RoC or a self-assessment questionnaire (SAQ).
RoCs are required for Level 1 merchants and service providers and potentially Level 2 merchants, depending on credit card brand requirements.
Merchants and service providers that do not need an RoC for PCI compliance will complete an SAQ.
If you’re not sure whether your business needs an RoC or SAQ, you can turn to your acquiring bank for help.
PCI SAQs: Which Self-Assessment Questionnaire Is Right for Your Business?
Read articleAn RoC must be completed by a Qualified Security Advisor (QSA) or an Internal Security Assessor (ISA).
An ISA is an internal employee who has undergone PCI DSS training. While some organizations use an internal assessor from their staff to complete the RoC, many choose to hire an independent third party.
The PCI Security Standards Council provides a list of QSAs to help you find one near you.
QSAs or ISAs use the RoC Reporting Template to create a summary of findings detailing the controls in place and documentation provided during the audit stage.
After completing an RoC, the assessor will present their findings to the company’s acquiring bank. If the acquirer accepts the RoC, it will be sent on to the payment brands for verification.
Payment brands set audit frequency, but in general, a Level 1 merchant or service provider will need to undergo a full audit and complete an RoC annually.
An RoC is split into two parts: an assessment overview and a summary of findings.
There are five possible assessment findings for PCI DSS requirements:
An organization is not considered compliant if there are open items or items to be addressed at a future date. Validation is all or nothing, so all requirements must be met to be considered PCI compliant.
An RoC is an assessment that determines PCI compliance. An attestation of compliance (AoC) confirms that the RoC is accurate.
An RoC must be completed prior to an AoC, which is seen as the last step in the compliance process. Both are required to prove compliance with the PCI standard.
What Is a PCI Attestation of Compliance (AoC)?
Read articleEven if an RoC isn’t required for your business, you might want to consider completing one anyway.
A completed RoC offers business a variety of benefits that include:
Not sure if you’re ready to prove compliance with an RoC?
Secureframe’s team of PCI DSS experts can help get your team and cardholder data environment audit-ready by quickly identifying gaps and assisting with remediation.
Request a demo today to see how Secureframe can help streamline your audit process.
Get the latest articles on startup security and compliance best practices delivered straight to your inbox.
Get a Secureframe demo