Skip to content

    What are the PCI DSS’ ROC, SAQ, and AOC?

    The are three primary steps of PCI DSS attestation 1) Assess, 2) Remediate, and 3) submit. In step 1, you'll complete either a self-assessment questionnaire (SAQ) or a report on compliance (ROC), depending on your merchat PCI level. Step 2 will require you to remediate any gaps discovered in your assessment. Step 3 will require the assessor to create and submit their assessment and an Attestation of Compliance (AOC) to their payment providers and banking parters.

    Everything you need to know about PCI DSS’ self-assessment questionnaires, Report on Compliance, an Attestation of Compliance.

    The Payment Card Industry Data Security Standard (PCI DSS) is designed to protect against financial fraud by securing payment card data. Companies that collect, process, and store this data must implement a set of security controls and processes designed to prevent unauthorized access to and use of the data.

    Organizations subject to PCI DSS must annually demonstrate compliance with the regulation. PCI DSS lays out two ways of doing so:

    • the Self-Assessment Questionnaires (SAQ) and
    • the Report on Compliance (ROC). 

    You’ll then use your completed SAQ or ROC to produce an Attestation of Compliance (AOC). This document summarizes the assessment results and is then submitted to the Payment Card Industry Security Standards Council (PCI SSC).

    Attesting to PCI compliance is a multi-step processing. Step 1 is to complete an SAQ or ROC. Step 2 is to remediate any findings. Step 3 is to complete an AOC and submit to your acquiring partner.

    Demonstrating PCI DSS Compliance

    The type of assessment depends on the organization’s access to cardholder data and the number of transactions it processes annually.

    PCI DSS defines four levels for merchants. While the exact requirements for each level vary from one payment card brand to another, the definitions are similar. The main factor determining an organization’s PCI DSS level is transaction volume, but exceptions may be made based on whether an organization has suffered a data breach or similar factors. An issuing or acquiring bank may also apply additional requirements to their customers if necessary.

    Let’s take a quick look at the four assessment levels used by the industry.


    Level 1

    Level 2

    Level 3

    Level 4

    Number of card transactions:

    Over 6 million

    6 million - 1 million

    1 million - 20,000

    20,000 or fewer

    Compliance assessment type

    Report on Compliance by a QSA or an ISA

    Self-assessment questionnaire 

    Self-assessment questionnaire 

    Self-assessment questionnaire 

    What is a Self-Assessment Questionnaire (SAQ), and who completes it?

    Companies that fall into PCI DSS Levels 2-4 are only required to complete a Self-Assessment Questionnaire (SAQ). The person responsible for the payment infrastructure fills out the SAQ. This may look like the IT Manager, CISO (Chief Information Security Officer), CIO (Chief Information Officer), or CTO (Chief Technology Officer).

    The number of questions in an SAQ range from 22 to over 300, so be sure to understand which SAQ is right for you by evaluating your implementation’s access to cardholder data before starting an SAQ.

    What is a Report on Compliance (ROC), and who completes it?

    PCI DSS requires organizations that fit the requirements of PCI Level 1 to undergo a Report on Compliance (ROC). Much like a self-assessment questionnaire (SAQ), a ROC evaluates the company’s compliance with PCI DSS requirements. There are, however, two big differences between a ROC and an SAQ: 

    1. 1) Unlike an SAQ, this audit must be performed by an independent third-party Qualified Security Assessor (QSA) or an Internal Security Assessor (ISA) certified by the PCI SSC.
    2. 2)ROCs audit the controls for each of the over 300 PCI DSS controls, making it a longer and more expensive process overall*.

    *Exception: The SAQ D also requires a full assessment, but these can be completed internally without a QSA or ISA.

    What if you fail an assessment?

    At the end of an assessment — whether a ROC or an SAQ — the organization has hopefully demonstrated that it has complied with the requirements in the PCI DSS. If this is the case, the next step would be to report the successful audit to the PCI SSC.

    However, if your organization fails the assessment, it isn’t the end of the world. After a failed assessment, the next step is to develop a remediation plan that can help to close the identified security gaps and help the company to pass another audit. This plan can be used to request an extension for passing an audit.

    To help with planning a remediation effort, PCI SSC has published the Prioritized Approach for PCI DSS compliance. This lays out a six-step process for implementing PCI DSS requirements based on the priorities of each requirement.

    What is an Attestation of Compliance (AOC)?

    Once remediation is complete, an Attestation of Compliance (AOC) is created. This document validates that an organization has completed its assessment and is compliant with the PCI DSS requirements. This document is submitted to the PCI SSC alongside the assessment results (i.e., the completed SAQ or ROC).

    An AOC is completed by the party that performed the compliance audit against an organization’s systems. In the case of an SAQ, this will likely be an individual within the organization. The forms for an AOC are free to download from the PCI SSC website.

    In the case of a ROC, the QSA or ISA is responsible for filling out the form. Therefore, filling out the AOC should be included in the QSA’s fee for completing the ROC.

    What happens after you submit your AOC?

    After an AOC is completed, it is submitted to the acquirer or payment card brand. The AOC is the official proof that an organization complies with the requirements of the PCI DSS.

    Piecing it all together: SAQ vs. ROC vs. AOC

    PCI DSS includes several acronyms, and understanding them is essential to selecting the right approach to compliance and demonstrating it properly.  The first step is identifying which form of compliance an organization should seek.  Some companies are eligible for an SAQ — where they test their own compliance — while some are required or volunteer to undergo a ROC — which involves an assessment by a qualified auditor.  

    At the end of the assessment, the AOC is the document created and used to demonstrate compliance with the PCI SSC.  Each year, every company subject to the PCI DSS regulation will submit an AOC or have one submitted for them.  The most significant difference is the process used to reach that point and the exact form submitted by the organization.

    Reduce the Costs and Effort of PCI DSS Attestation

    Like most things in compliance and security, it's usually better to keep things as simple as possible. Using a third-party service, like Basis Theory, can help reduce the effort to build, maintain, and assess PCI compliance by as much as 99%—all without diminishing its value to your organization. These services work by providing you with a Level 1 PCI-compliant environment and developer tools that help collect, store, and transmit cardholder data without exposing systems to PCI DSS requirements. 

    The cost is worth the investment if it saves you the effort (and headache) of trying to figure this out on your own. With our PCI Blueprint, you can get started with your own environment for free in as little as 5 minutes!

    Want Product News & Industry Updates?

    Subscribe to the Basis Theory blog to get updates right in your inbox