NL +31 (0)20 4232420 / SP +34 937 379 542
Often times we hear terms that are thrown around like PCI SAQ, AOC and PCI Report on Compliance (ROC). Are you often struggling to understand the difference between these concepts and if/when you’re required to complete them? The good news is that you’re not alone and hopefully we will clear up some of the confusion around these terms, what they mean and when you need to complete them below.

From understanding the PCI DSS 3.2 requirements, to knowing exactly how data flows, achieving PCI compliance requires a wealth of knowledge about the payment card industry. As a consultancy company, our team notices that organizations need explanation of the many abbreviations, that are common in PCI compliance.


Learn more about the industry’s many intricacies


SAQ (Self-Assessment Questionnaire)

The SAQ stands for Self-Assessment Questionnaire and can be used for compliancy to PCI DSS and assessing the security of your cardholder data. It is a reporting tool used by eligible merchants and service providers to document self-assessment results from a PCI DSS assessment.
An SAQ consists of two components:

  1. A set of questions corresponding to the PCI DSS requirements.
    The Questionnaire includes a series of yes-or-no questions for each applicable PCI Data Security Standard requirement. If an answer is no, your organization may be required to state the future remediation date and associated actions.
  2. An Attestation of Compliance (AOC).
    An Attestation of Compliance is that you are eligible to perform and have performed the appropriate Self-Assessment. An appropriate Attestation will be packaged with the Questionnaire that you select.

Exist some cases that with their simple declaration of compliance is it enough. In others cases the intervention of a QSA certified by the PCI council is required. It is in these cases that the AOC is signed by a QSA that endorses the response of the self-assessment performed.There are different SAQs available to meet different merchant environments. You can easily find the Self-Assessment Questionnaire that best describes how you accept payment cards. If you are not sure which questionnaire applies to you, contact your acquiring bank or payment card brand for assistance. You can also check our blog on the different SAQs. Once complete, the SAQ is submitted together with the AOC and any other requested documentation to the appropriate acquirer or payment brand.


ROC (Report on Compliance)

A Report on Compliance (ROC) tests the standards that are in place to protect the credit card information.
A PCI ROC is required for all Level 1 Merchants. A Level 1 Merchant is a retailer that has more than 6 million annual transactions with Visa and/or Mastercard.

Documents required at different levels:

      • Level 1 Merchant – ROC & Quarterly External ASV Scans
      • Level 2 Merchant – ROC or appropriate SAQ & Quarterly External ASV Scans (depending on card brand requirements)
      • Level 3 Merchant – Appropriate SAQ & Quarterly External ASV Scans

A Report on Compliance is a report documenting detailed results from a PCI DSS assessment. A ROC must be completed by a Qualified Security Assessor (QSA) after an audit, and subsequently submitted to the merchant’s acquirer. The acquirer, after accepting the ROC, sends it to the payment brand for verification.


AOC (Attestation of Compliance)

The AOC is a form used by merchants and service providers to attest to the results of a PCI DSS assessment. It is submitted to an acquirer or payment brand along with the appropriate SAQ or ROC, plus any other requested documentation.

The QSA completes an Attestation of Compliance (AOC) that is sent to the retailer’s merchant bank who then sends it to the appropriate card brand

You can find all these documents on the official PCI DSS site