What is a PCI DSS AOC? And how do I get one?

If you’re asking about a PCI DSS AOC, you probably work in the card payments space. It’s well known that the PCI DSS is the Payment Card Industry Data Security Standard, which all merchants and service providers have to comply with. So what’s a PCI DSS AOC? Well, in this case AOC stands for Attestation of Compliance. It’s a document used to show that a company complies with the twelve requirements in the PCI DSS itself.

PCI AOC Cover Page
PCI AOC – Merchants Cover Page

Companies subject to the PCI DSS are typically required to demonstrate that they comply with the requirements in this standard on an annual basis. To do this, they go through an assessment process, which produces a report. Once the report is produced, its findings are summarized in the AOC, and the Attestation is then signed by the person doing the assessment, and a member of executive management of the company that was assessed.

Contents

How do I get an AOC?

Are you looking for an AOC for your own company, or for an outside company? If you’re dealing with an outside company, and for some reason you’ve been asked to get their PCI AOC, ask them! If you are exchanging PCI DSS Card Holder Data with them, they should give you a copy of their AOC on request.

Unfortunately, getting an AOC for your own company can be much more complicated.

Preparing

The first step is to ensure that you do actually comply with the requirements of the PCI DSS! If you’ve not deliberately planned for compliance, you’re likely to find some gaps that will take time to remediate. The PCI Security Standards Council publish some helpful guidance on a prioritized approach to getting compliant.

Assessment

Once you believe you comply with the requirements, it’s time to kick off the formal assessment process. One artifact produced by the assessment will be your AOC.

There are actually a couple of different forms of the Attestation of Compliance. To get either one, you need to go through the annual assessment process. How you are assessed depends in turn on whether you’re a service provider or a merchant, and your current card transaction volumes per card brand.

We have dedicated posts discussing the levels and resulting assessment processes for merchants and for service providers.

Regardless of the type of company you are, there are basically two different assessment processes which are used, depending on your business’ transaction volume:

  • small to mid-sized businesses have the option to do an SAQ, or Self-Assessment Questionnaire. In this case, the AOC is actually a form in one of the chapters of the SAQ, which will be completed after the rest of the questionnaire;
  • large businesses typically undergo an on-site assessment process done by a 3rd-party QSA, or Qualified Security Assessor. At the completion of that process, the QSA and a member of your executive management will jointly sign the AOC, signaling your acceptance of the findings.

In either case, you will have a signed AOC that can then be provided to interested parties to demonstrate your current state of PCI DSS compliance. Why others may need to see this information is discussed much more extensively in this article which explains what your PCI certificate really is.