Let’s get down to business! Today, we are answering all of your burning questions about the PCI RoC. 

What Does ‘RoC’ Stand for? 

Report on Compliance: the PCI RoC is the documentation that verifies a merchant’s compliance with PCI DSS. It is the single most important form of attestation, serving as proof to stakeholders outside of the company, customers, and others that their information security policies, controls, and procedures meet compliance standards with the goal of protecting cardholder data and preventing data breaches. 

What Does the PCI RoC Cover? 

The RoC is created following a comprehensive assessment carried out by a Qualified Security Assessor (QSA), which includes an onsite audit and a review of controls. An auditor tests the controls, gathers documentation of procedures, and then develops a summary of findings that leads to a final RoC.  

Testing summarized in the RoC is designed to show whether the merchant adheres to the 12 Data Security Standards defined by PCI. It covers factors that include the flow of data within the company, payment applications, networks used, IT policies and internal data security procedures. 

Is My Company Considered a Merchant in Relation to PCI Compliance? 

The PCI Security Standards Council refers to all companies, non-profit organizations, and service providers that process credit card payments as merchants. According to the PCI SSC’s glossary of terms, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five major members of PCI SSC – American Express, Discover, JCB, MasterCard or Visa – as payment for goods, services, and. By the same definition, these are the companies, organizations, service providers that are required to comply with PCI DSS standards. 

What is a PCI reporting level? 

PCI reporting levels define the degree of scrutiny that should be applied to a merchant’s IT security environment. A merchant’s PCI reporting level is determined by the volume of card transactions that it handles per year. 

How Often Do You Need to Be Audited PCI Compliance? 

Auditing frequency is based on the PCI compliance level which is determined by the number of credit card transactions that the company processes annually. For example, a Level 1 merchant, in general, must undergo an audit with a full RoC at least once a year. Your company is automatically upgraded to Level 1 compliance requirements if your company has had data exposed, no matter how many card transactions you process every year. 

Who Is Required to File an RoC? 

The PCI RoC is a form that is generally reserved for Level 1 merchants. It is filled out by the person who completes an audit of the company. 

Businesses with Level 2 and Level 3 processing levels are required to complete different, less rigorous forms. A Level 2 merchant, for instance, generally has to complete and submit a PCI DSS Self-Assessment Questionnaire (SAQ). In some specific instances, they may be required to have an RoC, as well. 

Level 3 merchants have no reporting requirements. However, they are encouraged to self-assess their risk to avoid dangerous data security errors. 

Compliance questions? Get answers!

Book a free 30-minute consultation with a specialist to find your path to compliance. Secure your spot today.


How Often Must an RoC Need be Submitted? 

If your company processes at least six million transactions per year you are required to have an annual audit performed and an RoC submitted each year. In other cases, your bank will tell you whether they wish for you to submit an RoC. 

As noted earlier, businesses that have been affected by data breaches in the past are upgraded to Level 1 and required to meet Level 1 auditing requirements. 

How Long is a PCI RoC Valid for? 

The PCI Report on Compliance is valid for 1 year and compliance must be re-certified annually. 

Who Should Complete the Report on Compliance? 

The PCI RoC must be completed by a Qualified Security Assessor. The assessor can be an internal assessor who works within the company. However, many organizations choose to hire an independent third party to complete this task. Choosing someone from outside the company has a number of advantages over having an internal security assessor perform the task. 

First, an external auditor may discover things that someone with too much familiarity with your systems may miss. External auditors will also have experience with a greater number of companies and their systems, and can make recommendations based on what they’ve learned working with others. Finally, the approval of an external auditor shows partners and clients that your security practices have been independently investigated and validated. 

What’s the Difference Between an RoC and an AoC? 

Both an AoC and an RoC are performed by Qualified Security Assessors (QSAs) as verification of a merchant’s PCI DSS compliance status. An Attestation of Compliance (AoC) is a form that must be completed for merchants to show PCI compliance at any level; it attests to the fact that the merchant has completed a valid SAQ. In contrast, an RoC is only required for merchants held to level 1 compliance standards; it attests to the fact that the merchant has completed a valid SAQ and PCI assessment verified by a QSA.  

Let Us Help You Prepare Your PCI RoC 

Compliance with relevant PCI DSS requirements is a must. At I.S. Partners, we have years of experience and knowledge at your service. Looking for someone to help you understand your data security requirements? Get in touch for a consultation. 

 We’ll discuss your company’s requirements, as well as the best ways to meet them. With our help, you can keep data safer and ensure that you are fulfilling the auditing requirements needed for your vital financial services. Contact us today to learn more about PCI compliance services

About The Author

Comment on this article

Get started

Get a quote today!

Fill out the form to schedule a free, 30-minute consultation with a senior-level compliance expert today!

Great companies think alike.

Join hundreds of other companies that trust I.S. Partners for their compliance, attestation and security needs.

Scroll to Top