PCI Report on Compliance Assessment

Organizations that store, process or transmit credit card data must comply with relevant PCI Data Security Standards, and compliance must be attested to on an annual basis.

PCI Report on Compliance (RoC) and Attestation of Compliance (AoC)

Payment Card Industry (PCI) requirements are a contractual requirement for organizations that accept payment by credit card. The PCI Report on Compliance and Attestation of Compliance (RoC/AoC) is an assessment conducted following the PCI Data Security Standard (PCI DSS) to determine your organization’s ability to protect cardholder data. Level 1* (6+ million transactions per year) merchants are required to submit a PCI RoC/AoC to verify whether required policies, procedures and controls are in place. The RoC/AoC must be completed by a Qualified Security Assessor (QSA) on an annual basis to verify compliance with relevant controls.

RSM’s consultants are QSA certified and can complete the RoC/AoC for clients. Our approach for a RoC/AoC includes interviews, an analysis of policies and procedures, and validation of technical controls pertaining to the cardholder data environment. By using the RoC/AoC to maintain PCI compliance, organizations gain a competitive advantage as they secure their infrastructure, establish a baseline for security and increase their overall credibility. Maintaining PCI compliance helps safeguard credit card information and facilitates customer confidence. Finally, for any organization to claim “safe harbor,” they must be in full compliance with the PCI DSS at the time of a breach.

*Note: The enforcement of a PCI DSS assessment by an independent QSA could be applicable to other levels of merchants upon determination by the acquiring entity or card brand.


How can we help you?

Contact us by phone 800.274.3978 or
submit your questions, comments, or proposal requests.

Receive Risk Bulletin by Email


Cybersecurity Rapid Assessment®

Complete our Cybersecurity Rapid Assessment form to be contacted about receiving our "quick-hit" evaluation of your organization’s overall security risk.




The path to HITRUST for health care: Streamlining risk compliance

  • December 10, 2020


Effectively managing enterprise risk for board members

  • September 23, 2020