PCI DSS Compliance: What do PCI SAQ, AoC, and RoC Mean?
by Tori Thurmond / January 8th, 2024
The Payment Card Industry Data Security Standard (PCI DSS) is a crucial security framework for businesses that handle cardholder data. Every business that processes, stores, or transmits cardholder data must comply with the framework and undergo an annual PCI DSS assessment to verify it complies.
The nature of the assessment ranges from self-assessment to a full on-site PCI DSS audit by a Qualified Security Assessor (QSA). It’s critical that businesses understand which is right for them.
A PCI DSS assessment has three main parts:
â—Ź The Self-Assessment Questionnaire (PCI SAQ)
â—Ź The Attestation of Compliance (PCI AoC)
â—Ź The Report on Compliance (PCI RoC)
In this guide, we’ll explore each part and identify the businesses they affect.
How Merchant Levels Impact PCI DSS Audit Requirements
The specific procedures required during a PCI DSS assessment depend on an organization’s merchant level, a classification based primarily on the volume of transactions it processes annually. There are four merchant levels:
- Level 1 merchants process over 6 million transactions annually across all channels.
- Level 2 merchants process between 1 million and 6 million transactions annually across all channels.
- Level 3 merchants process between 20,000 and 1 million online transactions annually.
- Level 4 merchants process less than 20,000 online transactions annually or less than 1 million transactions annually in total.
The table below outlines which assessment requirements apply to businesses at each merchant level. The outlined requirements are generally correct, but the specifics may differ for your company depending on its business model and individual credit card providers.
| Merchant Level | SAQ | AoC | RoC |
| 1 | Not typically required | Required (accompanies RoC)Â Â Â Â Â | Required (Annual on-site assessment by a QSA. |
| 2 | Required (Annually) | Required (With SAQ)Â Â Â Â Â Â Â | Not usually required |
| 3 | Required (Annually) | Required (With SAQ)Â Â Â Â Â | Not usually required |
| 4 | Required (Annually, type varies based on payment environment) | Required (With SAQ)Â Â Â Â Â | Not usually required |
For more information, read What are the 4 Levels of PCI Compliance?
What is a PCI SAQ?
The PCI Self-Assessment Questionnaire provides a framework for organizations to self-assess their cardholder data security. There are nine different SAQ types, ranging in length and complexity from a couple of dozen questions to over 300. The right SAQ for your company depends on its business model and how it processes and stores credit card data.
SAQ A
PCI SAQ A is for companies that have fully outsourced cardholder data processing to a third party. These include ecommerce stores, phone sales, and mail order companies. SAQ A can only be used if a company does not store, process, or transmit cardholder data on its systems or premises.
SAQ A-EP
SAQ A EP is exclusive to ecommerce retailers who (i) only sell via ecommerce; (ii) outsource credit card sales to a third party, but (iii) handle the delivery of cardholder data to payment processors. The ecommerce business does not store, process, or transmit cardholder data on their systems.
SAQ A-EP is superficially similar to SAQ A — both apply to ecommerce businesses that outsource the payment process. The critical difference is in the flow of cardholder data from the merchant to the payment processor and who collects that data.
SAQ A may be appropriate if cardholder data is collected by the payment processor. For example, your site redirects customers to a page on the payment provider’s site to enter information or displays the provider’s page in an iframe. In contrast, SAQ A-EP may be appropriate if your store collects cardholder data with an on-site form and then sends it to the payment processor via JavaScript code or some other means.
SAQ B
SAQ B is for merchants who use imprint machines or terminals to collect credit card data. The merchant does not store or process cardholder data. SAQ B is not relevant to ecommerce and most other credit card transactions that are carried out exclusively over the web.
SAQ B-IP
SAQ B-IP is a variation on SAQ B that applies to merchants who use PTS-approved terminals with an IP connection to the payment provider. SAQ B-IP does not apply to most businesses who transact electronically over the web.
SAQ C
PCI SAQ C is relevant for merchants that deal with card-not-present credit card payments over the phone or mail and card-present payments via point-of-sales terminals. The merchant does not store cardholder data electronically, but may have paper records. It is not relevant to ecommerce businesses.
SAC C only applies if your business does not store cardholder data electronically, but delivers it to a payment processor via a payment application system and internet connection on the same device or LAN, which are not connected to other systems within your environment.
SAQ C-VT
SAQ C-VT is for merchants who use virtual payment terminals on a device which is only used for credit card processing. It is not relevant to ecommerce and most online sales.
SAQ P2PE
PCI SAQ P2PE is for merchants who collect cardholder data via a hardware payment terminal with a PCI SSC-approved peer-to-peer encryption (P2PE) solution. SAQ P2PE is a relatively short questionnaire because cardholder data is encrypted as soon as it’s entered into the payment terminal—the merchant cannot decrypt it and has no access to the data. Only the payment processor has the encryption key.
SAQ D
PCI SAQ D is a catch-all SAQ for organizations that are eligible but do not meet the criteria we’ve outlined for the other PCI Self-Assessment Questionnaires. For example, they may not outsource credit card processing and they may store card data electronically. There are two versions of SAQ D: SAQ D for Merchants and SAQ D for Service providers. SAQ D is by far the longest and most onerous PCI SAQ, with over 320 questions.
These questionnaires help to determine which PCI DSS compliance requirements apply to your organization and how your current systems align with those security requirements. Although each of the SAQ types have different goals, your organization can evaluate which applies best to you so that you can obtain an AoC.
At KirkpatrickPrice, we offer guidance to help your organization work through your SAQ and ensure all of your yes/no answers are accurate according to your security systems. Even with a self-assessment, you’re not alone!
What is a PCI AoC?
The PCI Attestation of Compliance (AoC) is a documented affirmation by an organization of its adherence to PCI DSS standards. After completing a Self-Assessment Questionnaire, the organization fills out the corresponding version of the AoC to attest to the accuracy of their self-assessment and their compliance status.
Like the SAQ, there are multiple versions of the AoC. Organizations complete the AoC that corresponds with the specific SAQ they’ve completed.
While Level 2-4 merchants can complete their own AoC, they might choose to have it verified or guided by an experienced PCI DSS specialist. For Level 1 merchants, a Qualified Security Assessor typically validates their compliance and completes the Report on Compliance. The AoC for these organizations is then based on the results of the RoC.
What is a PCI RoC?
A PCI Report on Compliance (RoC) is a comprehensive document prepared by a QSA who has evaluated an organization’s systems, security measures, and cardholder data protection. RoCs are required for Level 1 merchants.
Through an extensive onsite review, the QSA examines and documents your controls. The assessment results in a summarized findings report, culminating in the finalized RoC.
Each RoC adheres to the PCI Security Standards Council’s criteria, drawing from the RoC Reporting Template. This consistent reporting ensures stakeholders, clients, and other interested parties get a transparent view of your PCI compliance stance.
Partner with KirkpatrickPrice to Become PCI Compliant
It’s normal to feel overwhelmed or intimidated by the PCI audit process with all of the steps it take to remain compliant. But you don’t have to figure it out on your own! At KirkpatrickPrice, we believe in supporting you from audit readiness to final report and every step in between. Whatever your PCI objectives are, we want to help you achieve your compliance goals. Connect with one of our experts today to get started on your PCI compliance journey.
Learn more about PCI DSS from these KirkpatrickPrice resources:
- PCI Demystified: An educational video series that covers many aspects of PCI DSS and PCI audits
- The Six Steps of a PCI Audit
- How Do I Find a QSA For My PCI Audit?
