What is PCI Attestation of Compliance?

The PCI Data Security Standard (DSS) dictates how businesses can securely process and manage payments. As cybercrime persists as a significant challenge to payment security, this security standard helps protect you against substantial financial loss and frustration. 

According to IBM’s 2023 Cost of a Data Breach Report, the total average cost of a breach has risen to $4.45 million, more than a 15% increase compared to three years prior. 

Securing your payment system according to the latest regulatory standards takes exceptional effort and resources. The last thing you want to do is reach the finish line and discover you don’t know how to prove the strength of your data security.

When in need of such proof, an attestation of compliance is a good place to start.

Completing an Attestation of Compliance: Why It Matters

An attestation of compliance form proves a payment system meets the 12 high-level PCI requirements. Merchants and service providers use this form to present the results of their compliance assessment, completed by either a qualified security assessor or an internal security assessor. 

As part of this assessment, you must complete a self-assessment questionnaire or a report on compliance. The type of assessment you complete depends on your merchant level. Take a look at the purpose of these two assessments and their requirements:

• SAQ: An SAQ helps merchants categorized in Levels 2 to 4 self-assess their compliance based on the specific business processes and the methods they use to handle payment card data. Different types of this questionnaire exist to serve different businesses and their unique payment processing systems. 
• ROC: A ROC is a more formal document prepared by a Qualified Security Assessor (QSA) or an Internal Security Assessor (ISA). This type of documentation is often only expected of Level 1 merchants and must be completed as an independent evaluation conducted by one of the qualified third parties listed before. A ROC includes detailed information about your systems, processes, and controls related to the protection of cardholder data.

Following the completion of either the SAQ or ROC assessment, your business can receive an AOC, serving as tangible evidence that your organization operates securely.

However, completing an AOC is not a one-time achievement. You must annually complete a compliance assessment and attestation form to prove your system meets the current standards. Failure to comply can have severe consequences, including fines and reputational damage. 

PCI DSS 4.0: Proving Your Compliance with the Latest Regulatory Update 

PCI DSS 4.0, the newest iteration of the security standard, came into effect in March 2024 and aims to achieve the following goals:

• Continuing to meet the security needs of the payment industry
• Promoting security as a continuous process
• Adding flexibility for different methodologies
• Enhancing validation methods

While the new standard is officially in effect, several new requirements are future-dated, with compliance not expected until March 2025. As of March 2024, the 4.0 versions of the AOC form for merchants and service providers are available and ready for use on the PCI Document Library. 

How to Complete an Attestation of Compliance

While PCI DSS compliance is not federally mandated, failing to complete a required AOC can result in the card issuing companies you work with imposing significant fines or even revoking your account access until you remediate your non-compliance issues. 

To complete an AOC, the first step is determining your merchant level, which is based on your number of annual transactions. As we have discussed, not all businesses must submit an AOC. Merchants Levels 1 to 3 are required to complete an AOC. 

Once you are certain of your merchant level, you can determine which assessments you need to complete. A SAQ can be completed internally, while a ROC requires the assistance of a third-party assessor. Your finished SAQ or ROC serves as the crucial component for obtaining an AOC. 

Regardless of the type of assessment required, taking the time to optimize your compliance strategy before performing this assessment is key. Merchants who rely on external service providers for their payment infrastructure should make sure to choose providers with Level 1 PCI compliance. 

With Spreedly, You Can Reduce Your Compliance Burden

PCI compliance can be a painful process, especially for growing businesses with enough to worry about. Spreedly’s Advanced Vault offers Level 1 compliance, the highest level for merchants. 

Our vaulting solution helps you establish a modern, evergreen approach to payment data security, all while ensuring you grow your revenue along the way. 

With Spreedly, you gain a fully-optimized payment environment ready to handle your biggest transactions, helping you to reduce the technological burden of compliance. 

Plus, we help you improve recurring payments and drive customer loyalty with features like Network Tokenization and Account Updater. By keeping your stored payment data up-to-date, Spreedly enables you to meet compliance requirements while also improving the customer payment experience. 

Chat with Spreedly today to learn how our payment orchestration solution can benefit your business. 

Download the PCI Compliance eBook Below