The Payment Card Industry Data Security Standard, or PCI DSS, was established as a standard security requirement for all entities that store, process, or transmit cardholder data. PCI DSS compliance helps to demonstrate your security commitment and assure your clients that their cardholder data is protected. When you engage in a PCI DSS audit, you’re testing your organization’s systems and processes against 12 technical and operational requirements made up of nearly 400 individual controls established by the PCI Security Standards Council to protect cardholder data.
There are three parts to a PCI DSS audit and the merchant level of your organization plays a part in determining what you need from a PCI DSS audit. Let’s take a look at the distinctions between a PCI DSS Self-Assessment Questionnaire (SAQ), Attestation of Compliance (AoC), and Report on Compliance (RoC).
What is a PCI SAQ?
The PCI Self-Assessment Questionnaire is a tool used to document an organization’s self-assessment of their security practices concerning cardholder data. There are nine different SAQ types which apply variably to different organizations depending on how they process, handle, and store cardholder data, including:
- SAQ A
- SAQ A-EP
- SAQ B
- SAQ B-IP
- SAQ C-VT
- SAQ C
- SAQ P2PE-HW
- SAQ D for Merchants
- SAQ D for Service Providers
These questionnaires help to determine which PCI DSS compliance requirements apply to your organization and how your current systems align with those security requirements. Although each of the SAQ types have different goals, your organization can evaluate which applies best to you so that you can obtain an AoC.
At KirkpatrickPrice, we offer guidance to help your organization work through your SAQ and ensure all of your yes/no answers are accurate according to your security systems. Even with a self-assessment, you’re not alone!
What is a PCI AoC?
The PCI Attestation of Compliance (AoC) is just that, an attestation completed by a Qualified Security Assessor (QSA) that states an organization’s PCI DSS compliance status. An AoC is documented evidence that an organization has upheld security best practices to protect cardholder data. Basically, an AoC is a written representation that your organization has completed the applicable SAQ and been verified by a QSA.
If your organization is a merchant, the requirements for a SAQ, AoC, and RoC vary depending on your PCI level of compliance. We’ve written an introduction on the 4 PCI merchant levels for you to refer to when determining your own level of compliance. Similarly to the SAQ, there are different versions of the AoC which coincide with the versioning for the SAQ. Whichever version of the SAQ your organization completes, the same version can be determined useful for your AoC.
What is a PCI RoC?
A PCI Report on Compliance (RoC) is issued by a QSA and details an organization’s security posture, environment, systems, and protection of cardholder data. The RoC is developed through a thorough assessment completed by a QSA that includes an onsite audit and review of controls. After an auditor tests your controls and obtains documentation of your processes, a summary of findings is developed which culminates in a final RoC.
Every RoC is organized according to the PCI Security Standards Council’s specifications for a qualified RoC which is derived from the RoC Reporting Template provided to all QSAs. The standardization of reporting allows your organization to provide every stakeholder, client, or interested party with a clear representation of your status on PCI compliance.
If you’re overwhelmed or confused by the PCI audit process, KirkpatrickPrice experts are here to help! Whatever your PCI objectives are, we want to partner with you to help you achieve your compliance goals. Call us today to talk with an expert and start your PCI compliance journey.