Where can I download the PCI AOC template?

The PCI Security Standards Council makes copies of the Attestation of Compliance (AOC) reporting templates for download as both PDFs and as editable Microsoft Word DOCX documents in their Document Library.

Which AOC template you will use depends on the type of assessment you’re going through. If it’s an Onsite Assessment, you’ll be using an onsite AOC. If you’re doing a Self Assessment Questionnaire, there are a range of different AOCs to use depending on which SAQ you’re completing.

Self Assessment Questionnaire (SAQ)

There are a range of SAQ AOCs available, with one for each type of SAQ. Simply select the AOC template corresponding to your current SAQ, and complete the details. Note that there isn’t a “general” or “default” AOC, so you need to take care to select the right one.

Direct download links for version 3.2.1 of these document templates in multiple formats are:

  • AOC for SAQ A, Card-not-present Merchants, All Cardholder Data Functions Fully Outsourced: DOCX, PDF
  • AOC for SAQ A-EP, Partially Outsourced E-Commerce Merchants Using a Third-Party Website for Payment Processing: DOCX, PDF
  • AOC for SAQ B, Merchants with Only Imprint Machines or Only Standalone, Dial-Out Terminals. No Electronic Cardholder Data Storage: DOCX, PDF
  • AOC for SAQ B-IP, Merchants with Standalone, IP-Connected PTS Point-of-Interaction (POI) terminals, No Electronic Cardholder Data Storage: DOCX, PDF
  • AOC for SAQ C, Merchants with Payment Application Systems Connected to the Internet, No Electronic Cardholder Data Storage: DOCX, PDF
  • AOC for SAQ C-VT, Merchants with Web-Based Virtual Terminals, No Electronic Cardholder Data Storage: DOCX, PDF
  • AOC for SAQ P2PE, Merchants using Only Hardware Payment Terminals in a PCI SSC-listed P2PE Solution, No Electronic Cardholder Data Storage: DOCX, PDF
  • AOC for SAQ D for Merchants, All Other SAQ-Eligible Merchants: DOCX, PDF
  • AOC for SAQ D for Service Providers, SAQ-Eligible Service Providers: DOCX, PDF
  • AOC extra form for Service Providers – Section 2g: DOCX only

To help you determine which version of the SAQ and AOC you need to complete, there is a flowchart on page 18 of the PCI DSS Self-Assessment Questionnaire Instruction and Guidelines document.

Onsite Assessments

Note that there are two different versions of the Onsite Assessment AOC template: one for Merchants, another for Service Providers. One very common mistake is for companies who are Service Providers to submit a Merchant AOC instead of a Service Provider AOC, or the other way round. So be sure you get the correct version.

Direct download links for version 3.2.1 of these document templates in multiple formats are:

The PCI Security Standards Council also have ROC reporting templates available.

Leave a Reply

Your email address will not be published. Required fields are marked *