In the financial sector, the Payment Card Industry’s (PCI) Attestation of Compliance (AoC) is a critical PCI requirement that serves as a beacon of assurance, signifying an organization’s dedication to upholding stringent data protection standards. Furthermore, certification holds immense significance for stakeholders along with the PCI Standards Security Council (PCI SSC) who view it as a business’s commitment to PCI compliance. As a result, failing to complete your AoC can have significant repercussions, potentially resulting in fines, penalties, reputational damage and even suspension of payment card processing privileges. To help organizations understand the intricacies of AoC’s protocol and function, we’ll delve into the nuances of certification, exploring its definition, purpose and compliance processes so that your organization knows how to optimally satisfy its specific compliance requirements.
Key Elements of the AoC
AoC serves as a formal declaration, reflecting an organization’s dedication to upholding the security protocols outlined by the PCI Data Security Standard (PCI DSS) by completing one or several of its various assessment processes. To receive an AoC, the organization must submit the required documentation, evidence, and assessment reports to the appropriate entity, such as an acquiring bank, payment processor, or relevant PCI compliance organization. Upon successfully reviewing and approving the documentation, the organization receives its AoC from its validating entity. The AoC may be provided in electronic or physical form, depending on the preferences of the validating entity.
Within each AoC certification, there are four consistent key elements:
- The identification of the entity under assessment.
- Details outlining the scope of the assessment.
- Confirmation from the assessor regarding compliance with PCI DSS standards.
- A clear declaration of the assessment’s results, indicating the entity’s compliance status.
Let’s explore the different assessment processes that businesses must undergo to acquire this crucial certification.
The Assessment Prerequisites For an AoC
Depending on whether you’re a merchant (businesses that accept payment cards for goods or services) or service provider (entities that store, process, or transmit cardholder data on behalf of merchants or other entities) and the compliance level you fall into, the journey to receiving an AoC will vary. This is because organizations will first need to acquire either a Report on Compliance (RoC), a Self-Assessment Questionnaire (SAQ), or a combination of the two before they can acquire their AoC. Let’s explore the connection between an RoC and an AoC.
RoC and AoC Compliance Relationship
An RoC is an in-depth technical assessment conducted by a Qualified Security Assessor (QSA) confirming an organization’s adherence to PCI DSS requirements. While both the RoC and AoC demonstrate an organization’s commitment to PCI compliance, the AoC is a summary certification of one’s compliance. In contrast, the RoC comprehensively assesses one’s compliance status. It’s critical to remember that any organization required to attain both an RoC and AoC will always have to attain a RoC first.
Learn more about the intricacies of the RoC process.
SAQ and AoC Compliance Relationship
An SAQ is a validation tool used by merchants and service providers to self-assess their compliance with the PCI DSS requirements. It consists of a series of questions covering various security practices and controls related to handling payment card data. The SAQ is designed to help organizations determine their level of compliance based on factors such as their transaction volume, processing methods, and the extent of their involvement in handling payment card data.
The key difference between an AoC and an SAQ is that an SAQ is a self-assessment tool used by organizations to evaluate their compliance with PCI DSS requirements, while an AoC is a formal certification that affirms the organization’s compliance status based on the assessment results. Much like an RoC, any organization required to attain both an SAQ and an AoC will always have to attain a SAQ first.
PCI Levels Impact AoC Requirements
Now that the distinction between RoCs and SAQs has been made, it’s essential to break down which assessment processes are required for each PCI category for an organization to attain its AoC.
The procedures mandated during the AoC process vary according to the merchant and service provider level assigned to an organization. This variation in protocol is primarily determined by the organization’s annual transaction volume. As a result, there are two categories of service providers and four categories of merchants, giving way to six different levels of PCI requirements in total.
The table below delineates the compliance categories that must complete a AoC to become PCI DSS compliant. While the delineated requirements are typically accurate, PCI DSS certification requirements are dependent on the level of the service provider as determined by their acquirer or the payment brands. Merchants and service providers should contact their acquirer or the payment brands to identify their specific validation and reporting requirements:
| Merchant Level | Certification Required |
| Level 1 (> 6 million transactions annually) |
ROC AOC |
| Level 2 (1 million to 6 million transactions annually) |
SAQ AOC |
| Level 3 (20k to 1 million transactions annually) |
SAQ AOC |
| Level 4 (< 20k transactions annually) |
SAQ AOC |
| Service Provider Level |
Certification Required
|
| Level 1 – (More than 300k transactions annually) |
ROC AOC |
| Level 2 – (Less than 300k transactions annually) |
SAQ AOC |
Final Thoughts
The journey towards obtaining a PCI AoC is multifaceted, requiring organizations to complete various assessment processes tailored to their merchant or service provider level. In addition to the requirements that may be defined by your financial institutions, the effort is worth it as the AoC is a testament to an organization’s dedication to upholding rigorous security standards that reinforce their security posture and compliance framework.