If your organization accepts, handles, stores, transmits, or impacts the security of cardholder data, then you need to be PCI compliant. Your acquiring banks,payment card brands, or customers could require that you complete PCI compliance annually at a minimum.
Depending on what PCI level your business falls under, the compliance report will either be a Report on Compliance (RoC) or a self-assessment questionnaire (SAQ).
PCI RoC vs SAQ
PCI RoC is an external audit performed by a Qualified Security Advisor (QSA) or Internal Security Assessor (ISA) to determine whether your organization’s policies and procedures, configurations of networks and applications, and general security controls meet PCI DSS requirements.
PCI SAQ is a series of yes or no questions that include all 12 requirements which require you to attest that your organization meets PCI DSS standards. This can be completed by your organization or can be reviewed by a QSA to determine the organization’s compliance status with PCI.
There are 8 types of self-assessment questionnaires for merchants and service providers to prove their PCI DSS compliance.
Recommended reading
PCI SAQs: Which Self-Assessment Questionnaire Is Right for Your Business?
Read MoreWho needs a RoC vs SAQ?
RoC applies to Merchant Level 1 and Service Provider Level 1 organizations. So, you qualify for RoC if your organization:
- Accepts card payments in exchange for goods and services AND processes over 6 million transactions per year; or
- Processes cardholder data on behalf of another company AND processes over 300 thousand transactions per year
RoCs are also potentially required for merchants and service providers that process less transactions than the above threshold, depending on the risk requirements of the customers and banks they are working with.
If you don’t fall into these categories, you’ll need to complete an SAQ.
Who can conduct an RoC vs SAQ?
An RoC must be completed either by a certified QSA or an ISA. The PCI Security Standards Council provides a list of QSAs to help you find one near you.
SAQs are conducted internally by the organization, but can be reviewed by a QSA to determine the organization’s compliance status with PCI.
How often should an organization complete an RoC vs SAQ?
Payment brands set audit frequency, but in general, a Level 1 merchant or service provider will need to undergo a full audit and complete an RoC annually.
Payment brands also set the frequency for SAQs, but in general, Level 2-4 organizations should complete one annually. Most brands also require these organizations to complete and submit an AoC annually.
RoC vs SAQ Parts
An RoC is split into three parts: an executive summary, a summary of findings, and the attestation of compliance.
- The executive summary describes how the audit was conducted and what was tested including many specific details of an organization including diagrams, cardholder data, environment details, and assessor information.
- The summary of findings is where the QSA will document how they have observed or inspected controls in place and mark their findings for each requirement.
- The attestation of compliance is a summary showing which requirements were marked in-place, not in-place, or not applicable and is where the QSA signs off on the organizations compliance status. .
The SAQ also has three parts:
- A business overview where you document details of your service and cardholder data environment
- A set of self-guided questions designed to assess your level of compliance
- An attestation of compliance, which requires you to attest that you're both qualified to perform the SAQ and have done so
RoC vs SAQ results
In PCI DSS 4.0, there are different types of results for the ROC and SAQ respectively. They are listed below.
- In place: Testing has been performed and all elements of the requirement are met.
- In place with remediation (SAQ only): The requirement was not met at some point during the assessment, but was remediated before the completion of the assessment.
- In place with CCW (SAQ only): The expected testing has been performed, and the requirement has been met with the assistance of a compensating control.
- Not applicable: The requirement does not apply to the organization.
- Not tested: The requirement was not included in the assessment and not tested in any way.
- Not in place: Some or all elements of the requirement have not been met, are in the process of being implemented, or require further testing.
An organization is not considered compliant if they fail to meet any requirement within the PCI DSS. Validation is all or nothing, so all requirements must be met to be considered PCI compliant.
RoC vs SAQ process
There are six major steps for completing an RoC:
- Step 1: Determine the QSA you will use or ISA that will perform the assessment.
- Step 2: Prepare for the assessment by reviewing requirements, scope and controls.
- Step 3: Conduct the assessment.
- Step 4: Remediate findings.
- Step 5: Submit the attestation to inquiring parties.
- Step 6: Maintain compliance throughout the year.
The SAQ process can also be broken down into six steps.
- Step 1: Determine who internally is going to perform the assessment, or reach out to a QSA firm.
- Step 2: Prepare for the assessment by reviewing requirements, scope and controls.
- Step 3: Conduct the assessment.
- Step 4: Remediate findings.
- Step 5: Submit the attestation to inquiring parties.
- Step 6: Maintain compliance throughout the year.
Below is a summary of the key differences between the RoC and SAQ.