NL +31 (0)20 4232420 / SP +34 937 379 542

Why organizations should consider having a PCI Report on Compliance completed, even if the acquiring bank is not requiring one.

The Report On Compliance is mostly referred to as “ROC”. We often see our customers struggle to understand the differences between the PCI DSS requirements and if/when they are required to complete them. There are many reasons a PCI Report on Compliance can benefit your organization. More about that later. First, we will clear up some of the confusion around the term ROC below.


PCI ROC who needs one


A PCI ROC is required for all Level 1 Merchants. A Level 1 Merchant is a retailer that has more than 6 million annual transactions with Visa and/or Mastercard.

  • Level 1 Merchant – ROC & Quarterly External ASV Scans
  • Level 2 Merchant – ROC or appropriate SAQ & Quarterly External ASV Scans (depending on card brand requirements)
  • Level 3 Merchant – Appropriate SAQ & Quarterly External ASV Scans

So, how do you know what level merchant you are? When in doubt, ask your acquiring bank what level your organizations is.


How Does it Work?


A Report on Compliance (ROC) tests the standards that are in place to protect the credit card information. Some facts about the ROC:

  • Tests payment applications, dataflow, network in place for the CDE, tests IT Policies and Procedures
  • A ROC must be completed by a Qualified Security Assessor (QSA)
  • The QSA completes an Attestation of Compliance (AOC) that is sent to the retailer’s merchant bank who then sends it to the appropriate card brand

Once you have determined when your organization is required to do (from your acquiring bank), you will have to complete these requirements annually


4 Reasons to consider a ROC


1. Independence – When you decide to have a PCI Report on Compliance completed, you are making a conscious choice to have an independent, objective third-party assess your environment. This demonstrates that you are serious about security and aren’t “checking a box”.

2. Confidence – Having the help of a reputable Qualified Security Assessor (QSA) to conduct your PCI Report on Compliance, your organization can have confidence in the report received at the end of the engagement.

3. Assurance – Upon completion of the ROC process, rest assured that your organization has complied with all 12 requirements of the most current version of the PCI Data Security Standards.

4. Competitive Advantage – For organizations that are not required to have a PCI Report on Compliance completed, a competitive advantage could be gained over the competition by demonstrating a commitment to security and compliance by “going the extra mile.

So, is a PCI Report on Compliance right for your organization? You know your situation better than anyone. But, if you have a ROC completed when you are not required to, you are demonstrating a commitment to not only compliance but to security as well.

Would you like to discuss your specific circumstances to determine if a PCI Report on Compliance makes sense for you? Contact us

Read more about the differences between ROC, AOC and SAQ