PCI DSS Compliance: What do PCI SAQ, AoC, and RoC Mean?

by Sarah Harvey / November 3rd, 2020

The Payment Card Industry Data Security Standard, or PCI DSS, was established as a standard security requirement for all entities that store, process, or transmit cardholder data. PCI DSS compliance helps to demonstrate your security commitment and assure your clients that their cardholder data is protected. When you engage in a PCI DSS audit, you’re testing your organization’s systems and processes against 12 technical and operational requirements made up of nearly 400 individual controls established by the PCI Security Standards Council to protect cardholder data.

There are three parts to a PCI DSS audit and the merchant level of your organization plays a part in determining what you need from a PCI DSS audit. Let’s take a look at the distinctions between a PCI DSS Self-Assessment Questionnaire (SAQ), Attestation of Compliance (AoC), and Report on Compliance (RoC).

What is a PCI SAQ?

The PCI Self-Assessment Questionnaire is a tool used to document an organization’s self-assessment of their security practices concerning cardholder data. There are nine different SAQ types which apply variably to different organizations depending on how they process, handle, and store cardholder data. The type and number of questions vary by SAQ type: the simplest SAQ has a couple of dozen questions and the most complex has almost 400. The right PCI SAQ for your company depends on how you process and handle cardholder data.

SAQ A

PCI SAQ A is for companies that have fully outsourced cardholder data processing to a third party. These include ecommerce stores, phone sales, and mail order companies. SAQ A can only be used if a company does not store, process, or transmit cardholder data on its systems or premises.

SAQ A-EP

SAQ A EP is exclusive to ecommerce retailers who (i) only sell via ecommerce; (ii) outsource credit card sales to a third party, but (iii) handle the delivery of cardholder data to payment processors. The ecommerce business does not store, process, or transmit cardholder data on their systems.

SAQ A-EP is superficially similar to SAQ A — both apply to ecommerce businesses that outsource the payment process. The critical difference is in the flow of cardholder data from the merchant to the payment processor and who collects that data.

SAQ A may be appropriate if cardholder data is collected by the payment processor. For example, your site redirects customers to a page on the payment provider’s site to enter information or displays the provider’s page in an iframe. In contrast, SAQ A-EP may be appropriate if your store collects cardholder data with an on-site form and then sends it to the payment processor via JavaScript code or some other means.

SAQ B

SAQ B is for merchants who use imprint machines or terminals to collect credit card data. The merchant does not store or process cardholder data. SAQ B is not relevant to ecommerce and most other credit card transactions that are carried out exclusively over the web.

SAQ B-IP

SAQ B-IP is a variation on SAQ B that applies to merchants who use PTS-approved terminals with an IP connection to the payment provider. SAQ B-IP does not apply to most businesses who transact electronically over the web.

SAQ C

PCI SAQ C is relevant for merchants that deal with card-not-present credit card payments over the phone or mail and card-present payments via point-of-sales terminals. The merchant does not store cardholder data electronically, but may have paper records. It is not relevant to ecommerce businesses.

SAC C only applies if your business does not store cardholder data electronically, but delivers it to a payment processor via a payment application system and internet connection on the same device or LAN, which are not connected to other systems within your environment.

SAQ C-VT

SAQ C-VT is for merchants who use virtual payment terminals on a device which is only used for credit card processing. It is not relevant to ecommerce and most online sales.

SAQ P2PE

PCI SAQ P2PE is for merchants who collect cardholder data via a hardware payment terminal with a PCI SSC-approved peer-to-peer encryption (P2PE) solution. SAQ P2PE is a relatively short questionnaire because cardholder data is encrypted as soon as it’s entered into the payment terminal—the merchant cannot decrypt it and has no access to the data. Only the payment processor has the encryption key.

SAQ D

PCI SAQ D is a catch-all SAQ for organizations that are eligible but do not meet the criteria we’ve outlined for the other PCI Self-Assessment Questionnaires. For example, they may not outsource credit card processing and they may store card data electronically. There are two versions of SAQ D: SAQ D for Merchants and SAQ D for Service providers. SAQ D is by far the longest and most onerous PCI SAQ, with over 320 questions.

These questionnaires help to determine which PCI DSS compliance requirements apply to your organization and how your current systems align with those security requirements. Although each of the SAQ types have different goals, your organization can evaluate which applies best to you so that you can obtain an AoC.

At KirkpatrickPrice, we offer guidance to help your organization work through your SAQ and ensure all of your yes/no answers are accurate according to your security systems. Even with a self-assessment, you’re not alone!

What is a PCI AoC?

The PCI Attestation of Compliance (AoC) is just that, an attestation completed by a Qualified Security Assessor (QSA) that states an organization’s PCI DSS compliance status. An AoC is documented evidence that an organization has upheld security best practices to protect cardholder data. Basically, an AoC is a written representation that your organization has completed the applicable SAQ and been verified by a QSA.

If your organization is a merchant, the requirements for a SAQ, AoC, and RoC vary depending on your PCI level of compliance. We’ve written an introduction on the 4 PCI merchant levels for you to refer to when determining your own level of compliance. Similarly to the SAQ, there are different versions of the AoC which coincide with the versioning for the SAQ. Whichever version of the SAQ your organization completes, the same version can be determined useful for your AoC.

What is a PCI RoC?

A PCI Report on Compliance (RoC) is issued by a QSA and details an organization’s security posture, environment, systems, and protection of cardholder data. The RoC is developed through a thorough assessment completed by a QSA that includes an onsite audit and review of controls. After an auditor tests your controls and obtains documentation of your processes, a summary of findings is developed which culminates in a final RoC.

Every RoC is organized according to the PCI Security Standards Council’s specifications for a qualified RoC which is derived from the RoC Reporting Template provided to all QSAs. The standardization of reporting allows your organization to provide every stakeholder, client, or interested party with a clear representation of your status on PCI compliance.

If you’re overwhelmed or confused by the PCI audit process, KirkpatrickPrice experts are here to help! Whatever your PCI objectives are, we want to partner with you to help you achieve your compliance goals. Call us today to talk with an expert and start your PCI compliance journey.

Learn more about PCI DSS from these KirkpatrickPrice resources: