If your organization accepts, handles, stores, transmits, or impacts the security of cardholder data, then you need to be PCI compliant. Your acquiring banks,payment card brands, or customers could require that you complete PCI compliance annually at a minimum. 

Depending on what PCI level your business falls under, the compliance report will either be a Report on Compliance (RoC) or a self-assessment questionnaire (SAQ).

PCI RoC vs SAQ

PCI RoC is an external audit performed by a Qualified Security Advisor (QSA) or Internal Security Assessor (ISA) to determine whether your organization’s policies and procedures, configurations of networks and applications, and general security controls meet PCI DSS requirements

PCI SAQ is a series of yes or no questions that include all 12 requirements which require you to attest that your organization meets PCI DSS standards. This can be completed by your organization or can be reviewed by a QSA to determine the organization’s compliance status with PCI.

There are 8 types of self-assessment questionnaires for merchants and service providers to prove their PCI DSS compliance.

Who needs a RoC vs SAQ?

RoC applies to Merchant Level 1 and Service Provider Level 1 organizations. So, you qualify for RoC if your organization:

  • Accepts card payments in exchange for goods and services AND processes over 6 million transactions per year; or 
  • Processes cardholder data on behalf of another company AND processes over 300 thousand transactions per year

RoCs are also potentially required for merchants and service providers that process less transactions than the above threshold, depending on the risk requirements of the customers and banks they are working with. 

If you don’t fall into these categories, you’ll need to complete an SAQ. 

Who can conduct an RoC vs SAQ?

An RoC must be completed either by a certified QSA or an ISA. The PCI Security Standards Council provides a list of QSAs to help you find one near you.

SAQs are conducted internally by the organization, but can be reviewed by a QSA to determine the organization’s compliance status with PCI. 

How often should an organization complete an RoC vs SAQ?

Payment brands set audit frequency, but in general, a Level 1 merchant or service provider will need to undergo a full audit and complete an RoC annually.

Payment brands also set the frequency for SAQs, but in general, Level 2-4 organizations should complete one annually. Most brands also require these organizations to complete and submit an AoC annually. 

RoC vs SAQ Parts

An RoC is split into three parts: an executive summary,  a summary of findings, and the attestation of compliance.

  1. The executive summary describes how the audit was conducted and what was tested including many specific details of an organization including diagrams, cardholder data, environment details, and assessor information.
  2. The summary of findings is where the QSA will document how they have observed or inspected controls in place and mark their findings for each requirement.
  3. The attestation of compliance is a summary showing which requirements were marked in-place, not in-place, or not applicable and is where the QSA signs off on the organizations compliance status. . 

The SAQ also has three parts: 

  1. A business overview where you document details of your service and cardholder data environment
  2. A set of self-guided questions designed to assess your level of compliance
  3. An attestation of compliance, which requires you to attest that you're both qualified to perform the SAQ and have done so

RoC vs SAQ results

In PCI DSS 4.0, there are different types of results for the ROC and SAQ respectively. They are listed below.

  • In place: Testing has been performed and all elements of the requirement are met.
  • In place with remediation (SAQ only): The requirement was not met at some point during the assessment, but was remediated before the completion of the assessment. 
  • In place with CCW (SAQ only): The expected testing has been performed, and the requirement has been met with the assistance of a compensating control.
  • Not applicable: The requirement does not apply to the organization.
  • Not tested: The requirement was not included in the assessment and not tested in any way.
  • Not in place: Some or all elements of the requirement have not been met, are in the process of being implemented, or require further testing.

An organization is not considered compliant if they fail to meet any requirement within the PCI DSS. Validation is all or nothing, so all requirements must be met to be considered PCI compliant.

RoC vs SAQ process

There are six major steps for completing an RoC:

  • Step 1: Determine the QSA you will use or ISA that will perform the assessment.
  • Step 2: Prepare for the assessment by reviewing requirements, scope and controls.
  • Step 3: Conduct the assessment.
  • Step 4: Remediate findings.
  • Step 5: Submit the attestation to inquiring parties.
  • Step 6: Maintain compliance throughout the year.

The SAQ process can also be broken down into six steps. 

  • Step 1: Determine who internally is going to perform the assessment, or reach out to a QSA firm.
  • Step 2: Prepare for the assessment by reviewing requirements, scope and controls.
  • Step 3: Conduct the assessment.
  • Step 4: Remediate findings.
  • Step 5: Submit the attestation to inquiring parties.
  • Step 6: Maintain compliance throughout the year.

Below is a summary of the key differences between the RoC and SAQ.

RoC SAQ
What is it? An external audit performed by a QSA or ISA A self-assessment questionnaire designed to assess an organization’s level of compliance
Who needs one? Level 1 merchants and service providers Merchants and service providers that do not need a full Level 1 RoC for PCI compliance
Who can conduct one? QSA or ISA An internal party can conduct the assessment and the SAQ can also be reviewed by a QSA
How often should one be completed? Annually (unless a significant change of service occurs) Annually (unless a significant change of service occurs)
What are the major components? -Executive Summary
-Scope of Assessment
-Description of Environment
-Assessment Methodology
-Findings and recommendations
-Attestation of Compliance
-Supporting Documentation
-Business Information
-Assessment Information
-Self Assessment
-Attestation of Compliance
What are the possible findings? -In place
-Not applicable
-Not tested
-Not in place
-In place
-In place with a Compensating Control Worksheet
-Not applicable
-Not tested
-Not in place
What is the process for completing one? 1. Determine the QSA you will use or ISA that will perform the assessment.
2. Prepare for the assessment by reviewing requirements, scope and controls.
3. Conduct the assessment.
4. Remediate findings.
5. Submit the attestation to inquiring parties.
6. Maintain compliance throughout the year.
1. Determine who internally is going to perform the assessment, or reach out to a QSA firm.
2. Prepare for the assessment by reviewing requirements, scope and controls.
3. Conduct the assessment.
4. Remediate findings.
5. Submit the attestation to inquiring parties.
6. Maintain compliance throughout the year.