What is a PCI DSS AOC?

If you’re asking this question, you probably already know that the PCI DSS is the Payment Card Industry Data Security Standard. So what’s the PCI DSS AOC? Well, AOC stands for Attestation of Compliance, and it’s a document that shows your company complies with the requirements in the PCI DSS itself.

Companies subject to the PCI DSS are typically required to demonstrate that they comply with the requirements in the standard on an annual basis. To do this, they go through an assessment process, which produces a report. Once the report is produced, its findings are summarized in the AOC, and the Attestation is then signed by the person doing the assessment, and a member of executive management of the company that was assessed.

How do I get an AOC?

The first step is to ensure that you do actually comply with the requirements of the PCI DSS! If you’ve not deliberately planned for compliance, you’re likely to find some gaps that will take time to remediate. The PCI Security Standards Council publish some helpful guidance on a prioritized approach to getting compliant.

Once you believe you comply with the requirements, it’s time to kick off the formal assessment process, which should ultimately result in an AOC.

There are actually a couple of different forms of the Attestation of Compliance. To get either one, you need to go through the annual assessment process. How you are assessed depends in turn on whether you’re a service provider or a merchant, and your current card transaction volumes per card brand.

We have dedicated posts discussing the levels and resulting assessment processes for merchants and for service providers.

Regardless of the type of company you are, there are basically two different assessment processes which are used, depending on your business’ transaction volume:

  • small to mid-sized businesses have the option to do an SAQ, or Self-Assessment Questionnaire. In this case, the AOC is actually a form in one of the chapters of the SAQ, which will be completed after the rest of the questionnaire;
  • large businesses typically undergo an on-site assessment process done by a 3rd-party QSA, or Qualified Security Assessor. At the completion of that process, the QSA and a member of your executive management will jointly sign the AOC, signaling your acceptance of the findings.

In either case, you will have a signed AOC that can then be provided to interested parties to demonstrate your current state of PCI DSS compliance. Why others may need to see this information is discussed much more extensively in this article which explains what your PCI certificate really is.