PCI Report on Compliance Assessment

Organizations that store, process or transmit credit card data must comply with relevant PCI Data Security Standards, and compliance must be attested to on an annual basis.

PCI Report on Compliance (RoC) and Attestation of Compliance (AoC)

Payment Card Industry (PCI) requirements are a contractual requirement for organizations that accept payment by credit card. The PCI Report on Compliance and Attestation of Compliance (RoC/AoC) is an assessment conducted following the PCI Data Security Standard (PCI DSS) to determine your organization’s ability to protect cardholder data. Level 1* (6+ million transactions per year) merchants are required to submit a PCI RoC/AoC to verify whether required policies, procedures and controls are in place. The RoC/AoC must be completed by a Qualified Security Assessor (QSA) on an annual basis to verify compliance with relevant controls.

RSM’s consultants are QSA certified and can complete the RoC/AoC for clients. Our approach for a RoC/AoC includes interviews, an analysis of policies and procedures, and validation of technical controls pertaining to the cardholder data environment. By using the RoC/AoC to maintain PCI compliance, organizations gain a competitive advantage as they secure their infrastructure, establish a baseline for security and increase their overall credibility. Maintaining PCI compliance helps safeguard credit card information and facilitates customer confidence. Finally, for any organization to claim “safe harbor,” they must be in full compliance with the PCI DSS at the time of a breach.

*Note: The enforcement of a PCI DSS assessment by an independent QSA could be applicable to other levels of merchants upon determination by the acquiring entity or card brand.


Related resources

PCI PIN 3.0 and the PCI QPA program

The PCI PIN program outlines the requirements for all organizations that manage or deploy PIN acceptance devices.

Payment card industry compliance for financial institutions

Many financial institutions are required to comply with PCI DSS. Here is a guide to help them achieve and maintain PCI compliance.

PCI Report on Compliance Readiness Assessment

The PCI gap assessment helps you identify holes in your PCI program so you can effectively move toward compliance.

How can we help you?

Contact us by phone 800.274.3978 or
submit your questions, comments, or proposal requests.


Complete our Cybersecurity Rapid Assessment form to be contacted about receiving our "quick-hit" evaluation of your organization’s overall security risk.

Learn more