PCI Attestation of Compliance (AoC)?

It became mandatory for businesses that accept card payments to adhere to the Payment Card Industry Data Security Standard (PCI DSS) in order to prevent security breaches and avoid costly fines. For instance, a recent data breach at Wawa resulted in an $8 million settlement due to violations of PCI DSS, highlighting the importance of compliance for businesses that handle card payments. To demonstrate their adherence to PCI DSS and safeguard customer data, businesses must obtain a PCI DSS Attestation of Compliance (AoC). In this article, we will provide an explanation of what a PCI AoC is and guide you on how to obtain one to showcase your PCI DSS compliance.

What exactly is a PCI AoC?

A PCI Attestation of Compliance (AoC) is a formal declaration that attests to an organization’s compliance with the PCI DSS. It functions as documented evidence that the organization follows security practices that effectively protect against potential threats to cardholder data. The completion of this document is carried out by either a Qualified Security Assessor (QSA) or the business itself. A QSA is an entity that holds certification from the PCI Security Standards Council (PCI SSC) – the body responsible for establishing the PCI DSS. These QSAs are authorized to conduct audits measuring PCI DSS compliance and determine whether organizations meet the necessary criteria. Furthermore, QSAs can assist organizations in navigating the compliance process, which we will delve into later on.

PCI RoC vs. AoC

In addition to the AoC, organizations may also receive a PCI Report on Compliance (RoC) from a QSA, which serves a similar function as an AoC. The RoC differs in terms of the thoroughness of the QSA’s evaluation. RoCs involve QSA audits that review an organization’s process documentation and test its controls to verify its compliance with PCI DSS. On the other hand, organizations usually only need to complete a Self-Assessment Questionnaire (SAQ) to obtain an AoC. This self-assessment is then examined by a QSA to determine the organization’s PCI compliance status.

However, larger organizations that undergo a QSA audit for an RoC may not need to complete an SAQ to obtain an AoC. In other words, successfully passing the RoC assessment is generally sufficient for organizations to also receive an AoC.

The necessity of an AoC

Any entity that manages cardholder data must obtain an AoC and undergo an assessment conducted by a QSA to demonstrate compliance with PCI DSS. However, whether an organization also requires an RoC depends on the level of compliance it falls under. Generally, organizations that process a higher number of debit and credit card transactions are subject to more stringent QSA assessment criteria.

PCI compliance levels for merchants and service providers To determine compliance levels for merchants and service providers, factors such as transaction volume and specific certification requirements come into play. Let’s examine the different compliance levels and respective certification requirements

PCI Compliance Level 1	Transactions: Over 6 million per year	Certification requirements: Need both an AoC and RoC
PCI Compliance Level 2	Transactions: 1 million-6 million per year	Certification requirements: Need an AoC and may require an SAQ and RoC
Merchant Level 3	Transactions: 20,000-1 million per year	Certification requirements: Need an AoC and SAQ
Merchant Level 4	Transactions: 20,000-1 million per year	Certification requirements: Need an AoC and SAQ

By reviewing your organization’s transaction records, you can determine which compliance level applies to you. It is essential to maintain consistent assessment and certification requirements across credit card brands. However, it is important to note that these levels may vary slightly depending on the brand. For instance, while Visa specifies specific PCI levels, Mastercard has its own specifications for PCI compliance level 1. Level 1 applies not only to merchants processing over 6 million card transactions annually but also to those who have experienced a hack or an attack resulting in an Account Data Compromise (ADC) event. American Express, Discover, and JCB International also have their own definitions of PCI levels. It is recommended to research and understand the PCI levels specified by each card brand to minimize compliance risk. If unsure about the necessary compliance documents, contacting a Qualified Security Assessor (QSA) for assistance is advisable.

Steps to receive an Attestation of Compliance (AoC) are outlined below

1. Achieve PCI compliance

The first step toward obtaining an AoC is ensuring compliance with PCI DSS. This involves establishing a secure network for cardholder information, implementing measures to protect the network, enforcing strict access controls for credit card data, and maintaining a comprehensive security policy that addresses information security, among other requirements of PCI DSS.

2. Determine compliance level and assessment type

Once confident about the organization’s compliance, determine the PCI compliance level and prepare for a QSA assessment. If the organization falls into Merchant Levels 3 or 4 (processing fewer than 1 million transactions per year), filling out a Self-Assessment Questionnaire (SAQ) for QSA review is necessary. Various SAQ types are available, so it’s important to research the appropriate one for the organization. For organizations falling into PCI compliance Levels 1 or 2, an SAQ and/or QSA audit may be required.

3. Schedule and complete the assessment

The QSA assessment can be conducted in person or virtually based on the QSA’s preferences. If the QSA determines compliance based on the SAQ, an AoC will be issued. If the organization’s compliance level warrants an audit, the QSA will evaluate the security posture, systems, and overall compliance with PCI. Following a positive evaluation, the QSA will provide an AoC (and potentially a Report on Compliance, RoC, as well).

Securing a PCI AoC with the help of Aidbs Technology

Achieving PCI compliance can be challenging without assistance. With over 300 rigorous security controls and numerous security requirements, it can be time-consuming and energy-draining, delaying the evaluation by a QSA and receiving the AoC. However, Aidbs offers a compliance automation platform that streamlines the compliance process, saving significant time and ensuring that the organization adheres to all operational controls and implements security best practices. To learn more about using the platform to achieve and maintain PCI compliance, requesting a demo from Aidbs is recommended.