What Is Attestation of Compliance (AOC)?

Definition of AOC

The PCI DSS Attestation of Compliance (AOC) is an official document that verifies an organization's adherence to the Payment Card Industry Data Security Standard (PCI DSS).

This standard, established by major credit card brands including Visa, Mastercard, American Express, Discover, and JCB, outlines security measures to ensure the secure handling of cardholder data and protect against payment card fraud.

The AOC is issued by a Qualified Security Assessor (QSA) or an Internal Security Assessor (ISA) following a comprehensive assessment of the organization's cardholder data environment and overall security posture.

Who Needs an AOC?

Organizations that store, process, or transmit payment card information are required to obtain an AOC. This includes:

• Merchants: Businesses that accept payment cards, whether online or in physical stores.
• Service Providers: Third-party entities that handle payment card data on behalf of merchants, such as payment processors, hosting providers, or software developers.
• Financial Institutions: Banks, credit card issuers, and other financial institutions that process payment card transactions.
• Acquirers: Banks or financial institutions that establish relationships with merchants to facilitate payment card transactions.

The necessity for an AOC is determined by the organization's PCI compliance level, which is based on the number of annual transactions processed. Larger organizations, such as those processing over 6 million transactions annually, typically require a more rigorous assessment and a full Report on Compliance (RoC) in addition to the AOC.

How to Complete an AOC

To obtain an AOC, organizations must undergo an assessment process:

1. Determine PCI Compliance Level: Identify the organization's compliance level based on annual transaction volume.
2. Complete Self-Assessment Questionnaire (SAQ) or Report on Compliance (RoC): Depending on the compliance level, complete the appropriate assessment.
3. Undergo Assessment: For higher compliance levels, engage a QSA to conduct a thorough evaluation of the organization's security measures.
4. Obtain AOC: Upon successful completion of the assessment, the QSA or ISA issues the AOC, confirming compliance with PCI DSS requirements.

It's important to note that the AOC is typically valid for one year, after which a new assessment is required to maintain compliance.

Role of AOC in PCI Audits

The AOC plays a crucial role in PCI audits by serving as formal evidence of an organization's compliance with PCI DSS. During audits, the AOC is reviewed to verify that the organization has implemented the necessary security controls and practices to protect cardholder data. Additionally, the AOC helps auditors assess the scope of compliance and identify areas that may require further attention or improvement.

Key Aspects of the PCI DSS Attestation of Compliance:

1. Compliance Validation: The AoC confirms that the organization has successfully met all the applicable requirements outlined in the PCI DSS. These requirements cover various aspects of data security, including network security, access controls, data encryption, vulnerability management, and ongoing security monitoring.

2. Security Controls Implementation: The AoC verifies that the organization has implemented the necessary security controls and practices to protect cardholder data. This includes the establishment of secure network infrastructure, strong access controls, encryption of sensitive data, regular security testing, and vulnerability management processes.

3. Scope of Compliance: The AoC specifies the scope of the compliance assessment, indicating the systems, processes, and network segments that were included in the evaluation. It defines the boundaries of the cardholder data environment within the organization and identifies the areas subject to the PCI DSS requirements.

4. Validity and Expiration: The AoC has an expiration date, typically valid for one year, after which the organization must undergo a new assessment and obtain a renewed AoC. It is essential for organizations to maintain ongoing compliance with the PCI DSS to ensure the security of cardholder data.

5. Compliance Responsibility: The AoC clarifies the organization's responsibility for maintaining compliance with the PCI DSS. It highlights the need for regular monitoring, periodic assessments, and timely remediation of any identified vulnerabilities or non-compliant practices.

Related

• PCI DSS Compliance Levels: Organizations are categorized into four compliance levels based on the number of annual transactions they process. Each level has specific requirements for compliance assessments and documentation.
• Qualified Security Assessor (QSA): An individual or organization certified by the PCI Security Standards Council to assess compliance with PCI DSS.
• Report on Compliance (RoC): A comprehensive report detailing the results of a PCI DSS assessment, typically required for organizations at higher compliance levels.
• Self-Assessment Questionnaire (SAQ): A set of forms that merchants and service providers can use to assess their compliance with PCI DSS, typically applicable to organizations at lower compliance levels.

Maintaining a valid AOC is essential for organizations to demonstrate their commitment to securing cardholder data and complying with industry standards.