Achieving PCI compliance takes exceptional effort and resources, but how can you prove it?
To showcase your commitment to data security to customers and regulators alike, an Attestation of Compliance can provide the documentation you need to evidence your comprehensive compliance strategy. By completing an Attestation of Compliance, you can ensure you have a detailed summary of your business’s compliance with the 12 high-level PCI DSS requirements.
Join us as we define what an Attestation of Compliance is, why you need it, and how the release of PCI DSS 4.0 may impact your current AOC.
What is a PCI Attestation of Compliance?
The PCI Data Security Standard (DSS) sets global expectations for handling customer payment data.
For merchants, one major consideration for PCI compliance centers around how to prove compliance to the PCI Security Standards Council (SSC). Merchants at different PCI levels require differing types of assessments, with merchants in Levels 1 to 3 required to complete an Attestation of Compliance.
Need to know more about merchant PCI levels? Read our PCI Compliance Checklist for a thorough breakdown of the different PCI levels and requirements.
An Attestation of Compliance, or AOC for short, affirms that your business has undergone the proper compliance assessments and adheres fully to the PCI DSS.
Per the official PCI Security Standards Council glossary, an AOC is a “form for merchants and service providers to attest to the results of a PCI DSS assessment, as documented in the Self-Assessment Questionnaire or Report on Compliance.”
Obtaining an AOC involves a comprehensive assessment of your systems and processes by a Qualified Security Assessor (QSA) or an Internal Security Assessor (ISA). Depending on the number of annual transactions your business processes, you will need to complete a Self-Assessment Questionnaire (SAQ) or a Report on Compliance (ROC) before you can obtain an AOC.
Here’s a quick overview of these two assessments:
- SAQ: An SAQ helps merchants categorized in Levels 2 to 4 self-assess their adherence to PCI DSS requirements based on the specific business processes and the methods they use to handle payment card data. There are several types of SAQs, each tailored to different types of businesses and payment processing methods.
- ROC: A ROC is a more formal document prepared by a Qualified Security Assessor (QSA) or an Internal Security Assessor (ISA). This type of documentation is often only expected of Level 1 merchants and must be completed as an independent evaluation conducted by one of the qualified third parties listed before. A ROC includes detailed information about your systems, processes, and controls related to the protection of cardholder data.
Following the completion of either the SAQ or ROC assessment, your business can receive an AOC, serving as tangible evidence that your organization operates securely and is PCI compliant.
It is important to note that an AOC is not a one-time achievement — these assessments are required annually, making an annual AOC necessary as well. Failure to comply with PCI DSS can have severe consequences, including fines, legal liabilities, and reputational damage.
With this in mind, let’s discuss how upcoming changes to the PCI DSS may impact your AOC.
PCI DSS 4.0: The Impact on Your Attestation of Compliance
The newest iteration of the PCI DSS — PCI DSS 4.0 — came into effect in March 2024.
According to the PCI Security Standards Council, the changes aim to achieve the following goals:
- Continuing to meet the security needs of the payment industry
- Promoting security as a continuous process
- Adding flexibility for different methodologies
- Enhancing validation methods
While PCI DSS 4.0 is officially in effect, several new requirements are future-dated, with compliance not expected until March 2025. As of March 2024, the PCI DSS 4.0 versions of the AOCs for merchants and service providers are available and ready for use on the PCI Document Library.
How to Complete a PCI Attestation of Compliance
While PCI DSS compliance is not federally mandated, failing to complete a required AOC can result in the card issuing companies you work with imposing significant fines or even revoking your account access until you remediate your non-compliance issues.
To complete an AOC, the first step is determining your merchant level, which is based on your number of annual transactions. As we have discussed, not all businesses must submit an AOC. Merchants Levels 1 to 3 are required to complete an AOC.
Once you are certain of your merchant level, you can determine which assessments you need to complete. A SAQ can be completed internally, while a ROC requires the assistance of a third-party assessor. Your finished SAQ or ROC serves as the crucial component for obtaining an AOC.
Regardless of the type of assessment required, taking the time to optimize your compliance strategy before performing this assessment is key. Merchants who rely on external service providers for their payment infrastructure should make sure to choose providers with Level 1 PCI compliance.
With Spreedly, You Can Reduce Your PCI Compliance Burden
PCI compliance can be a painful process, especially for growing businesses with enough to worry about. Spreedly’s Advanced Vault offers PCI Level 1 compliance, the highest level for merchants.
Our vaulting solution helps you establish a modern, evergreen approach to payment data security, all while ensuring you grow your revenue along the way.
With Spreedly, you gain a fully-optimized payment environment ready to handle your biggest transactions, helping you to reduce the burden of PCI compliance.
Plus, we help you improve recurring payments and drive customer loyalty with features like Network Tokenization and Account Updater. By keeping your stored payment data up-to-date, Spreedly enables you to meet PCI requirements while also improving the customer payment experience.
Chat with Spreedly today to learn how our payment orchestration solution can benefit your business.
Download the PCI Compliance eBook Below
.png)
.svg){kind=icon}
.svg)
