What is Attestation Of Compliance (AOC)
Introduction
The PCI DSS (Payment Card Industry Data Security Standard) defines any entity that is in some way involved with CDE (Card Data environment) and where account data (cardholder data and/or sensitive authentication data) can be affected in a direct or indirect way with storing, processing, or transmitting Credit Cards information shall take adequate security measures according to standard requirements.
At the top of the chain are the payment brands (credit card companies) and the acquirers. They are the ones who enforce PCI DSS compliance on the whole industry.
The Payment Card Industry Data Security Standard (PCI DSS) was established to provide clear security measures for entities and organizations dealing with HD (Card Holders' Data).
Payment brands are very much interested in enforcing Cybersecurity measures in the Payment Card sector. However but, the entities who are practically enforcing the PCI requirements are the acquirers and issuers.
The PCI SSC is conducting a few types of assessment for different purposes according to the business interests and needs of the acquirers and issuers. It is the entity’s responsibility to make sure that they are compliant with standard requirements.
PCI DSS Requirements
PCI DSS requirements apply to entities with computing platforms where account data (cardholder data and/or sensitive authentication data) is stored, processed, or transmitted and entities with environments that can impact the security of the CDE. Some PCI DSS requirements may also apply to entities with environments that do not store, process, or transmit account data – for example, entities that outsource payment operations or manage their CDE. Entities that outsource their payment environments or payment operations to third parties remain responsible for ensuring that the account data is protected by the third party per applicable PCI DSS requirements.
For each type of assessment, there is a designated AOC and SAQ (Self-Assessment Questionnaire) or ROC (Report of Compliance):
Service Provider will always take one of the following assessments:
Merchant can be one of any of the following:
- SAQ A, SAQ A-EP, SAQ B, SAQ B-IP, SAQ C, SAQ C-VT, SAQ D or ROC.
| Level | Service Provider | Merchant |
|---|---|---|
| 1 | ROC | ROC |
| 2 | SAQ D |
SAQ A SAQ A-EP SAQ B SAQ B-IP SAQ C SAQ C-VT SAQ D |
| 3 | NA | |
| 4 |
Level 1 ROC can be attested and certified by a QSA company and QSA auditor only. An entity shall verify that the company is registered in the PCI SSC as a QSA Company and its QSA personnel is also qualified.
Self Assessment:
The PCI SSC has composed specific assessment criteria for according various business profiles. Each SAQ extracts the specific requirements from the complete standard (PCI DSS) according to the service and entity’s involvement with transacting, storing or processing CHD. The entity has to make sure that its business profile adequately fit the designated AOC they choose to comply with. For further guidance, it is essential to read carefully PCI SSC - SAQ Instructions and Guidance which can be found on the PCI SSC website under Resources/Document Library.
Once an entity has defined the assessment its has to go, proper SAQ documentation has to be field. For each assessment type, there are two documents to fill in.
1) SAQ - defines which requirements, out of all standard requirements, have to be accomplished.
2) AOC - Attestation the assessment (SAQ) has been accomplished. Usually it is ,required to apply only the AOC to the acquirer or merchant, or other service providers.
