Blog | 24By7Security

Your PCI DSS Assessment:  ROC, AOC, SAQ & WHY

Written by Sanjay Deo | September, 21 2021

The Payment Card Industry developed the Data Security Standard (PCI DSS) in 2004 against a backdrop of steadily rising credit card transaction volumes, with the objective of protecting cardholder data at every step.

Card security continues to be a serious focus within the industry, where losses due to fraud topped $28 billion worldwide in 2019.

Security Compliance

To strengthen card data protection, merchants who accept card payments and store or transmit card data are required to comply with the Data Security Standard. The standard and its 12 security requirements are enforced by the primary payment card brands and the merchant banks that process card transactions.

Not only are merchants required to comply with the standard, but compliance is also a best security practice in today’s hyperactive credit card environment. In addition, there are a number of benefits to be enjoyed by merchants who comply with the PCI Data Security Standard.

Compliance requirements for retail and e-tail merchants include (1) annual security assessments, (2) forms verifying assessment results, and (3) quarterly external vulnerability scans. Two primary assessment methods are available, along with multiple verification forms. Deciding which is appropriate for you and under what circumstances is where things can get tricky.

Merchant Levels

Before any card merchant (retailer or e-tailer) can tackle the decisions around ROCs, AOCs, and SAQs, it’s imperative to understand what level you have been assigned by the PCI Security Standards Council. The council consists of major payment card brands, including Visa, Mastercard, American Express, and Discover, who have established four levels of compliance for merchants—because one size definitely does not fit all.

Merchants who accept these major card brands vary in size and scope from retail industry giants to regional grocery stores to local car washes. Generally, it is the annual card transaction volume that determines the merchant level, although certain other criteria may also affect the level assigned to a merchant. The table below is based on a chart by PCIJourney.com.

 

Level

Visa

Mastercard

American Express

Discover

1

More than 6 million transactions / year

More than 6 million transactions / year

More than 2.5 million transactions / year

More than 6 million transactions / year

2

1 to 6 million

1 to 6 million

50,000 to 2.5 million

1 to 6 million

3

20,000 to 1 million

20,000 to 1 million

Less than 50,000

All other merchants

4

All other merchants

All other merchants

N/A

N/A

 

Level 1 Merchants.

Because they process the greatest volumes of card transactions each year, Level 1 merchants are required to undergo an annual PCI DSS assessment by a Qualified Security Assessor (QSA). The third-party assessor provides a Report on Compliance (ROC) for the merchant. The merchant is also required to submit quarterly ASV scans to their processing bank to demonstrate compliance. Memory Jog: QSA + ROC + ASV

ASV scans are external vulnerability scans conducted by an Approved Scanning Vendor, who has the tools to verify compliance with PCI DSS external scanning requirements. The scans’ purpose is to routinely test a merchant’s internet-facing networks and systems to identify security weaknesses and enable the merchant to develop and submit plans for remediating those vulnerabilities.

Level 2 Merchants.

Level 2 merchants are required to undergo an annual PCI DSS assessment by a Qualified Security Assessor, who provides a Report on Compliance. These merchants are also required to submit quarterly ASV scans to their credit card bank. In some cases, Level 2 merchants may be eligible to complete a Self-Assessment Questionnaire (SAQ) depending on their particular card brand requirements. Memory Jog: QSA + ROC/SAQ + ASV

Level 3 Merchants.

As a general rule, Level 3 merchants need not undergo third-party security assessments, but instead are eligible to conduct self-assessments of their compliance using a Self-Assessment Questionnaire (SAQ). They must complete an Attestation of Compliance (AOC) testifying to the results of their assessment. Like Level 1 and 2 merchants, Level 3 merchants must also submit quarterly ASV scans. Memory Jog: SAQ + AOC + ASV

Generally, no reporting requirements apply to Level 4 merchants, whose transaction volumes are very low and, therefore, whose security risk is considered to be low.

Again, these four Merchant Levels are a good rule of thumb for most merchants in determining what assessment methodologies and reporting forms to use in assessing and reporting compliance. However, certain other criteria may also affect these choices, and it is best to verify your individual requirements with your card processing bank. This is especially important if you are a new retailer or e-tailer and unfamiliar with the rules.

ROC – Report on Compliance

The Report on Compliance is the central document resulting from the annual PCI DSS assessment.

The approved template for the Report on Compliance is 187 pages and is available on the PCI Security Standards Council website in PDF form. This ROC template reflects the most current PCI Data Security Standard (v3.2.1, Rev. 1).

The ROC is a mandatory template for use by Qualified Security Assessors (QSAs) in conducting assessments against the PCI DSS requirements and security assessment procedures. The template, including detailed reporting instructions, was developed to help ensure consistent onsite assessments for all merchants, and a consistent level of reporting among all assessors.

The completed ROC documents the merchant’s compliance status for each of the 12 PCI DSS security requirements.

Once the assessment is completed, an AOC must be completed.

AOC – Attestation of Compliance

There are several versions of the AOC, including a merchant version and a service provider version as well as self-assessment versions.

The foremost version is the Attestation of Compliance for Onsite Assessments for Merchants. This 7-page form, which must accompany the ROC when submitted, serves as written verification by the merchant that a valid assessment has been completed on his or her behalf.

Four sections in the AOC collect specific details related to (1) Assessment Information, (2) the Report on Compliance, (3) Validation and Attestation, and (4) an Action Plan for Non-Compliant Requirements.

The merchant is responsible for ensuring that each section is completed by the appropriate party, including the Qualified Security Assessor.

Attestation of Compliance forms are also integrated into every version of the Self-Assessment Questionnaire.

SAQ – Self-Assessment Questionnaire

For Level 3 merchants, who are generally eligible to evaluate and document their own compliance, eight versions of the Self-Assessment Questionnaire (SAQ) are available on the PCI Security Standards website. These SAQs enable merchants to measure and assess their compliance with the PCI Data Security Standard and its 12 security requirements.

Two terms are helpful in determining which SAQ is right for your circumstances.

  • Card-present. This term refers to merchants in brick-and-mortar sales environments or stores where a physical card is presented to be scanned or otherwise accepted.
  • Card-not-present. This describes e-commerce merchants who sell online through websites or merchants who sell or and take orders by mail or telephone, where a physical card is not able to be scanned.

The eight SAQs generally apply as follows:

  • Card-present merchants: SAQ A or SAQ A-EP
  • Card-not-present merchants: SAQ D
  • Merchants who have both situations: SAQ B, SAQ B-IP, SAQ C, SAQ C-VT, or SAQ P2PE

If you are eligible for self-assessment, we recommend learning more about the eight specific merchant scenarios for assistance in selecting the appropriate SAQ.

The SAQ document includes an Attestation of Compliance section for merchants to complete once their self-assessment has been performed. In fact, the document is formally titled Self-Assessment Questionnaire and Attestation of Compliance. Like the ROC and AOC, it can be downloaded from the PCI Security Standards Council website.

Before You Get Started

Major payment card brands that comprise the PCI Security Standards Council (e.g., Visa, Mastercard, and others) have the authority to modify compliance requirements. They are also responsible for compliance enforcement, along with the merchant banks who process your payment card transactions.

Before your next PCI DSS assessment, contact your processing bank or payment card brand to confirm what type of security assessment and proof of compliance is required. This important step can prevent a wrong decision and avoid a costly mistake.

Summary

Some 428 billion credit card transactions were processed worldwide in 2020, more than double the volume in 2015, according to Statista. Cardholder data is captured by card scanners and online payment forms and transmitted by smartphones, and securing that data is of paramount importance. To that end, the Payment Card Industry maintains a Data Security Standard with security requirements that govern all members of the payment card industry.

Compliance requirements for retail and e-tail merchants include (1) annual security assessments, (2) forms verifying assessment results, and (3) quarterly external vulnerability scans. Two primary assessment methods are available, along with multiple verification forms.

Merchant compliance with the PCI Data Security Standard can be achieved through onsite assessments by Qualified Security Assessors, the PCI Council’s preferred method, or through a self-assessment process. Four merchant levels, assigned by the major payment card brands, guide merchants in determining which ROC, AOC, or SAQ applies to their particular circumstances.