PCID-01

Do you have a current, executed within the past year, Attestation of Compliance (AoC) or Report on Compliance (RoC)?

Explanation

This question is asking whether your organization has a current Attestation of Compliance (AoC) or Report on Compliance (RoC) for the Payment Card Industry Data Security Standard (PCI DSS) that was executed within the past year. What these documents are: - An Attestation of Compliance (AoC) is a form that summarizes the results of a PCI DSS assessment and declares your compliance status. - A Report on Compliance (RoC) is a detailed report documenting the results of a PCI DSS assessment, typically prepared by a Qualified Security Assessor (QSA). Why this is being asked: 1. PCI DSS compliance is required for any organization that stores, processes, or transmits payment card data. 2. The assessment wants to confirm that your organization has undergone the appropriate PCI DSS validation process. 3. The recency requirement (within the past year) ensures your compliance is current, as PCI DSS requires annual reassessment. The question helps the assessor understand if your organization meets the payment card industry's security requirements, which protect sensitive cardholder data. Having a current AoC or RoC demonstrates that you've been formally assessed against these requirements. How to best answer: - Be specific about which document you have (AoC or RoC) - Include the date of execution/completion - Mention your compliance level (e.g., Level 1, 2, 3, or 4) - If applicable, note the QSA who performed the assessment - If you don't have either document but process payment card data, explain your current compliance status and plans

Guidance

Refer to PCI DSS Security Standards for supplemental guidance in this section

Example Responses

Example Response 1

Yes, our organization has a current Attestation of Compliance (AoC) that was completed on March 15, 2023 We are a Level 2 merchant processing approximately 1.5 million credit card transactions annually Our AoC was prepared following a self-assessment using the SAQ D for merchants, and it was signed by our Chief Information Security Officer and reviewed by our acquiring bank We maintain compliance with all applicable PCI DSS requirements and undergo reassessment annually.

Example Response 2

Yes, we have a current Report on Compliance (RoC) executed on November 8, 2023 As a Level 1 service provider, we underwent a full onsite assessment conducted by ABC Security Partners, a PCI SSC Qualified Security Assessor (QSA) Our RoC confirms compliance with all 12 PCI DSS requirement domains We also maintain the corresponding Attestation of Compliance signed by both our QSA and our Chief Technology Officer These documents are available for review under appropriate confidentiality agreements.

Example Response 3

No, we do not currently have an executed Attestation of Compliance or Report on Compliance While we do process credit card transactions, we completely outsource all payment processing to a third-party provider (PaymentSecure Inc.) using their hosted payment page solution The cardholder data never touches our systems or network We have implemented their JavaScript integration which redirects customers to their PCI-compliant environment for payment processing We have documentation from PaymentSecure confirming their PCI DSS Level 1 compliance status, and we have a signed agreement with them covering the security responsibilities We are currently working with a QSA to determine if we qualify for SAQ A and expect to complete this process within the next 60 days.

Context

Tab: Case-Specific
Category: Payment Card Industry Data Security Standard (PCI DSS)