Key Takeaways

1. A PCI Report Validates Compliance: There are two types of PCI DSS reports: RoC and SAQ. Both provide formal verification that your organization meets the PCI DSS’s 12 core requirements for protecting cardholder data.

2. PCI Testing Identifies Security Gaps Early: Comprehensive PCI testing—including vulnerability scans, penetration tests, and configuration reviews—ensures controls are properly implemented and secure before the audit begins.

3. PCI Audits Build Trust and Assurance: A successful PCI audit, especially when conducted by a QSA, demonstrates to banks and partners that your organization protects payment data effectively.

Every business that stores, processes, or transmits cardholder data must be able to demonstrate compliance with the Payment Card Industry Data Security Standard (PCI DSS). But how you prove that compliance depends on your annual transaction volume and your merchant level. For some organizations, a full Report on Compliance (RoC) is required. Others complete a Self-Assessment Questionnaire (SAQ). Both are considered PCI reports, but the scope, depth of PCI testing, and level of assurance vary significantly.

In this blog, we break down the two main types of PCI DSS reports—RoC vs SAQ—so you know exactly what your organization needs and how to prepare for a successful PCI audit.

Check Your Compliance Status Now!

Don’t know where to start? Answer a few questions and get free, personalized framework recommendations in 1 minute.

CHECK COMPLIANCE REQUIREMENTS HERE

What Is a PCI DSS Report?

A PCI DSS report is the formal documentation used to validate whether an organization meets the PCI DSS security requirements. The two primary report types are:

  • Report on Compliance (RoC)
  • Self-Assessment Questionnaire (SAQ)

Regardless of which report your organization must complete, the goal is the same: ensure cardholder data is protected through strong security controls, ongoing PCI testing, and annual PCI audit activities.

RoC: Required for PCI DSS Level 1

A RoC is the highest level of PCI DSS validation. It is required for:

  • Merchants processing more than 6 million transactions per year
  • Service providers designated as high-risk by card brands or acquirers

A RoC must be completed by a Qualified Security Assessor (QSA) or an Internal Security Assessor (ISA) and includes:

  • A comprehensive review of security policies and procedures
  • Network architecture evaluation
  • Configuration reviews of systems and applications
  • Evidence collection and sampling
  • Interviews with key personnel
  • Validation of all 12 PCI DSS requirements
  • Detailed PCI testing and documentation of controls

A RoC is the most rigorous PCI audit path and provides the strongest level of assurance to acquiring banks and card brands.

SAQ: Required for PCI DSS Levels 2–4

For organizations not required to undergo a Level 1 PCI audit, the SAQ serves as their PCI report. An SAQ is a series of yes/no questions covering all PCI DSS controls. SAQs are used by:

  • Level 2 merchants: 1–6 million transactions annually
  • Level 3 merchants: 20,000–1 million annual e-commerce transactions
  • Level 4 merchants: Fewer than 20,000 annual e-commerce transactions (or up to 1 million in-store transactions)

An SAQ includes:

  • Attestation that PCI DSS requirements are met
  • Documentation of security processes
  • Verification that cardholder data is properly protected
  • Submission of the Attestation of Compliance (AOC)

There are eight SAQ types, each designed for different payment environments:

  • SAQ A: For merchants outsourcing all cardholder data functions
  • SAQ A-EP: For e-commerce merchants with partially outsourced payment pages
  • SAQ B/B-IP: For merchants using imprint machines or standalone dial-out terminals
  • SAQ C: For merchants with payment systems connected to the internet
  • SAQ C-VT: For merchants using virtual terminals
  • SAQ D (Merchant): For merchants with complex environments
  • SAQ D (Service Provider): For service providers eligible for SAQ reporting

While PCI DSS Levels 2–4 organizations can complete an SAQ on their own, doing so comes with risks. Many organizations still choose to work with a QSA to ensure accuracy, reduce risk, and avoid compliance gaps. Misinterpreting a requirement or overlooking a gap can result in non-compliance penalties, mandatory forensic investigations after a breach, loss of merchant processing privileges, and costly remediation work.

iStock-1473508659 1

Compliance questions? Get answers!

Book a free 30-minute consultation with a specialist to find your path to compliance. Secure your spot today.

SPEAK TO AN EXPERT

Why PCI DSS Compliance Matters, and How IS Partners Can Help

PCI DSS compliance isn’t just about meeting an industry mandate—it’s about protecting your customers, reputation, and revenue. Noncompliance can result in costly fines, data breaches, and loss of merchant privileges.

A validated PCI report demonstrates your organization’s commitment to securing cardholder data and maintaining trust with partners and payment processors. It also provides actionable insights for strengthening your overall cybersecurity posture. 

At IS Partners, LLC, we help organizations simplify PCI DSS compliance through expert guidance, end-to-end testing, and audit readiness support. Our team of QSAs and IT audit professionals can help you:

  • Conduct a PCI readiness assessment to identify gaps before your formal audit.
  • Perform comprehensive PCI testing across your networks and systems.
  • Prepare and submit your PCI report and Attestation of Compliance.

Whether you’re a merchant, service provider, or financial institution, IS Partners provides tailored support to ensure your PCI DSS compliance program meets industry standards and protects your business from risk. Click to learn more about our PCI transformation and compliance services.

What Should You Do Next?

  1. Conduct a PCI Readiness Assessment: Review your Cardholder Data Environment (CDE) and current security controls to identify potential compliance gaps before your formal audit.

  2. Schedule PCI Testing: Engage a QSA or internal assessment team to perform required vulnerability scans, penetration tests, and configuration reviews.

  3. Partner with a PCI Compliance Expert: Work with an experienced firm like IS Partners to guide your PCI DSS compliance journey—from readiness assessments to audit reporting and continuous monitoring.

Get a Quote Try our Compliance Checker

About The Author

Related Content

Gain Deeper Insights

Get started

Get a quote today!

Fill out the form to schedule a free, 30-minute consultation with a senior-level compliance expert today!

Benefit from:

ioc-checkAnalysis of your compliance needs
ioc-checkTimeline, cost, and pricing breakdown
ioc-checkA strategy to keep pace with evolving regulations

Want to speak to us now?

Call us at (866) 642-2230

or

Start a live chat

Great companies think alike.

Join hundreds of other companies that trust IS Partners for their compliance, attestation and security needs.

Vision_Link_report_Logoclient-doelegal-2-2 (1)zenginespaymedia-logo-1dentaquest-4healthwaresystems logo

Scroll to Top