Where can I download a PCI AOC template? [PCI v4 Update]

The PCI Security Standards Council makes copies of the various Attestation of Compliance (AOC) reporting templates for download as both PDFs and as editable Microsoft Word DOCX documents in their Document Library. Read on for help in choosing which of these forms to use.

Which AOC template you will use depends on the type of assessment you’re going through. If it’s an Onsite Assessment, you’ll be using an onsite AOC. If you’re doing a Self Assessment Questionnaire, there are a range of different AOCs to use depending on which SAQ you’re completing.

Contents

Self Assessment Questionnaire (SAQ)

There are a range of SAQ AOCs available, with one for each type of SAQ. Simply select the AOC template corresponding to your current SAQ, and complete the details. Note that there isn’t a “general” or “default” AOC, so you need to take care to select the right one.

Which SAQ do I use?

To help you determine which version of the SAQ and AOC you need to complete, there is a flowchart on page 23 of the PCI DSS Self-Assessment Questionnaire Instruction and Guidelines document.

AOC Download Links

Direct download links for version 4 of these document templates in multiple formats are:

  • AOC for SAQ A, Card-not-present Merchants, All Cardholder Data Functions Fully Outsourced: DOCX, PDF
  • AOC for SAQ A-EP, Partially Outsourced E-Commerce Merchants Using a Third-Party Website for Payment Processing: DOCX, PDF
  • AOC for SAQ B, Merchants with Only Imprint Machines or Only Standalone, Dial-Out Terminals. No Electronic Cardholder Data Storage: DOCX, PDF
  • AOC for SAQ B-IP, Merchants with Standalone, IP-Connected PTS Point-of-Interaction (POI) terminals, No Electronic Cardholder Data Storage: DOCX, PDF
  • AOC for SAQ C, Merchants with Payment Application Systems Connected to the Internet, No Electronic Cardholder Data Storage: DOCX, PDF
  • AOC for SAQ C-VT, Merchants with Web-Based Virtual Terminals, No Electronic Cardholder Data Storage: DOCX, PDF
  • AOC for SAQ P2PE, Merchants using Only Hardware Payment Terminals in a PCI SSC-listed P2PE Solution, No Electronic Cardholder Data Storage: DOCX, PDF
  • AOC for SAQ D for Merchants, All Other SAQ-Eligible Merchants: DOCX, PDF
  • AOC for SAQ D for Service Providers, SAQ-Eligible Service Providers: DOCX, PDF

QSA-led Onsite Assessments

Note that there are two different versions of the Onsite Assessment AOC template: one for Merchants, another for Service Providers. One very common mistake is for companies who are Service Providers to submit a Merchant AOC instead of a Service Provider AOC, or the other way round. So be sure you get the correct version.

Direct download links for version 4 of these document templates in multiple formats are:

The PCI Security Standards Council also have ROC reporting templates available.