Payment Card Industry (PCI) compliance reporting is required for all organizations that process credit and debit card payments. Depending on PCI Level, organizations are required to report on compliance by having a Qualified Security Assessor (QSA) complete an Attestation of Compliance (AOC). Read on to learn about top AOC PCI compliance considerations.
Considerations for Submitting AOC PCI Compliance Reports
The PCI Security Standards Council (SSC) oversees enforcement of PCI compliance for all organizations involved in card payment processing. Submitting compliance reports (based on PCI Level requirements) to the SSC stakeholders is essential to the PCI compliance process.
Considerations for organizations that must submit AOC PCI compliance reports include the:
- Process for compliance reporting
- Nature of business operations
- PCI DSS validation process
- QSA assessment
Achieving PCI compliance is critical to protecting sensitive card payment data. Identifying the best approach to AOC PCI compliance reporting facilitates a seamless compliance process and reclaims significant bandwidth that would otherwise be spent on these efforts.
Process of PCI Compliance Reporting
The SSC requires PCI-eligible organizations to annually complete some combination of the three different types of reporting documentation for compliance certification:
- Self-Assessment Questionnaire (SAQ) – Used for self-assessment, the SAQ primarily contains yes or no questions designed to assess compliance with the PCI DSS Requirements. The SSC provides different versions of SAQs based on operations and business activity factors, including but not limited to:
- The type(s) of technologies used to process payment transactions
- The outsourced card payment processing service(s) utilized
- Report on Compliance (ROC) – Completed by a QSA, the ROC is the most thorough compliance assessment that verifies compliance with PCI DSS Requirements. The QSA extensively audits PCI controls and organization compliance onsite to evaluate corresponding standards.
- Attestation of Compliance (AOC) – An AOC confirms that organizations have met compliance requirements stipulated by the PCI DSS. AOCs must be completed by individuals who are certified as eligible to do so. Therefore, they are generally completed by QSAs as well.
Organizations must use the correct forms when submitting PCI compliance reports.
Request a Free Consultation
Types of Attestation of Compliance Forms
The SSC provides various AOC (Attestation of Compliance) forms, corresponding to the different Self-Assessment Questionnaires (SAQs).
AOC forms (based on SAQ categorization) include:
- AOC SAQ A – Applies to merchant transactions in which:
- Cards are not physically present
- Cardholder data (CHD) functions are fully outsourced.
- AOC SAQ A-EP – Applies to merchant transactions in which payment processing is outsourced via third-party websites
- AOC SAQ B – Applies to merchant transactions in which:
- Only stand-alone, dial-out terminals are used
- CHD is not electronically stored
- AOC SAQ B-IP – Applies to merchant transactions in which:
- Only stand-alone, IP-connected PTS point-of-interaction (POI) terminals are used
- CHD is not electronically stored
- AOC SAQ C-VT – Applies to merchant transactions in which:
- Web-based virtual terminals are used
- CHD is not electronically stored
- AOC SAQ C – Applies to merchant transactions in which:
- Internet-connected payment application systems are used
- CHD is not electronically stored
- AOC SAQ P2PE – Applies to merchant transactions in which:
- Hardware payment terminals in a PCI SSC-listed P2PE solution are used
- CHD is not electronically stored
- AOC SAQ D for Merchants – Applies to all other merchants required to file SAQs
- AOC SAQ D for Service Providers – Applies to all other service providers required to file SAQs
PCI Levels for Merchants
The PCI compliance reporting documentation that merchants must submit each year depends on the Levels determined by SSC stakeholders. Organizations that process card payments set the specific requirements for reporting AOC PCI compliance.
Per Visa’s compliance guidelines, the PCI Levels for merchants are as follows:
- Level 1 – Merchants that process over 6 million Visa transactions must submit a ROC along with an AOC.
- Level 2 – Merchants that process 1 to 6 million Visa transactions must file an SAQ along with an AOC.
- Level 3 – Merchants that process 20,000 to 1 million Visa transactions must submit an SAQ along with an AOC.
- Level 4 – Merchants that process less than 20,000 Visa transactions must file just an SAQ.
While each SSC stakeholder determines the specific transaction volume criteria per Level, they are based on similar ranges and thresholds.
PCI Levels for Service Providers
Service provider PCI Levels are also classified by the volume of transactions processed. According to Mastercard, the service provider PCI Levels include:
- Level 1 – Service providers that process 300,000 or more Mastercard transactions annually must submit a ROC.
- Level 2 – 300,000 or fewer Mastercard transactions annually must submit an SAQ.
Nature of AOC PCI Compliance Business Transactions
Besides determining the correct form to report AOC PCI compliance, it is critical to identify which transactions must comply with relevant PCI Standards (see below). Note that the SSC provides different AOC PCI compliance forms for merchants and service providers.
Merchant Transactions
Based on the AOC PCI compliance v3.2.1 form for onsite assessments, considerations for merchant transactions include:
- Type of business operations – Merchants must report the business classification of their operations. Common industries include:
- Retail
- Telecommunication
- Grocery and supermarket
- E-commerce
- Petroleum
- Card payment processing tools – Merchants must report the payment channels used to process CHD transactions, including:
- Mail order/telephone order (MOTO)
- E-commerce
- Card-present (face-to-face)
- Locations for data processing – Merchants must list all sites at which CHD is processed, including but not limited to:
- Retail outlets
- Corporate offices
- Data and call centers
- Payment applications – Merchants must also list the payment applications used to process CHD, such as:
- Point-of-sale (POS) terminals
- Back office applications
- Middleware applications
- Nature of CHD environment – Merchants must list CHD environment (CDE) components (including segmentation methods). Critical components include:
- Connections into and out of CDE
- Critical system components (e.g., databases, servers, POS terminals)
- Third-party service providers – Merchants must list the nature of interactions with service providers, including the services provided. Note that, while third-party service providers maintain responsibility for their own PCI compliance efforts, the SSC still holds organizations accountable for compliance violations related to outsourced services. Therefore, merchants must thoroughly evaluate their partners. Common types of third-party service providers include:
- Payment processors
- Web-hosting companies
- Qualified Integrators and Resellers (QIR)
Preparing for AOC attestation of compliance submission requires assessing the environments, cybersecurity measures, processes, and system components used to process CHD.
Service Provider Transactions
The AOC PCI compliance v3.2.1 form for onsite assessments for service providers provides a reference for assessing PCI compliance. Considerations for service provider transactions include:
- Nature of services provided – Service providers must assess the types of services that interact with CDE, some of which include:
- Hosting services (e.g., applications, hardware, web, security, shared hosting)
- Managed services (e.g., systems security, IT support, physical security)
- Payment processing (e.g., POS, MOTO, ATM)
- Processes for card payment processing – Methods used for CHD transactions, including:
- Storage (e.g., databases, cloud services)
- Processing (e.g., applications, networks)
- Transmission (e.g., encryption protocols)
- Locations for data processing – Physical locations used to provide third-party CHD-processing services (including location and number). Locations include:
- Corporate offices
- Data and call centers
- Payment applications – Information about applications used in third-party processing of CHD, including:
- Number of applications
- Type of application (e.g., POS, e-commerce)
- Listing according to Payment Application Data Security Standards (PA DSS)
- CHD environment – Critical components of CDE must be assessed, including:
- Connections into and outside of CDE
- Access points (e.g., network firewalls)
Service providers need to define aspects of CHD processing that must meet AOC PCI compliance requirements.
Validation of PCI Compliance
Merchants and service providers must validate their compliance by assessing their adherence to the PCI Data Security Standards (DSS) Requirements. The PCI DSS Requirements provide the framework and reference for PCI compliance assessment and help guide organizations on compliance best practices.
Since the AOC serves as the validating documentation, merchants should ensure their PCI DSS implementation meets framework stipulations (to the best of their ability) before contacting a QSA for assessment. For expert consideration, merchants should consider contacting a QSA to perform a pre-AOC compliance gap assessment.
PCI DSS Requirements
PCI DSS v3.2.1 stipulates 12 Requirements for eligible organizations to meet as part of AOC PCI compliance. Covered under six goals, the PCI DSS Requirements are:
- Securing Networks and Systems
-
-
- Requirement 1: Install firewalls for cardholder data protection
- Requirement 2: Avoid vendor-supplied security parameters
-
- Protecting cardholder data
-
-
- Requirement 3: Protect stored cardholder data
- Requirement 4: Encrypt cardholder data transmission over open networks
-
- Vulnerability management
-
-
- Requirement 5: Secure systems against malware and viruses
- Requirement 6: Protect systems and applications
-
- Strengthening access controls measures
-
-
- Requirement 7: Restrict access to cardholder data, except for necessary business purposes
- Requirement 8: Identify and authenticate system access
- Requirement 9: Protect physical access to cardholder data
-
- Monitoring and testing networks
-
-
- Requirement 10: Monitor access to networks and cardholder data
- Requirement 11: Test security systems and processes
-
- Maintaining information security
-
- Requirement 12: Implement an information security policy for all personnel
Compliance with the PCI DSS Requirements will help your organization protect CHD and other sensitive data (e.g., sensitive authentication data (SAD).
Completing a self-assessment while preparing for AOC PCI compliance will help identify gaps in PCI compliance, especially with the help of a PCI compliance partner. Submitting a PCI DSS AOC will also help protect CHD from costly breach risks and avoid non-compliance fines and penalties.
Upcoming Release of PCI DSS v4.0
Scheduled for release in March 2022, PCI DSS v4.0 will supersede the current version v.3.2.1. The SSC will provide organizations with an 18-month transition period following the v4.0 release to update security protocols and address any gaps in PCI compliance.
Organizations eligible to file PCI DSS AOC can take advantage of this transition period to assess current PCI compliance practices and make relevant organization-wide changes. Working with an experienced PCI compliance specialist will help your organization seamlessly transition from compliance with PCI DSS v3.2.1 to the upcoming v4.0.
PA DSS Requirements
Although the PCI DSS is a more widely applicable framework, the PA DSS also addresses compliance for organizations developing and commercially providing payment applications for processing CHD.
PA DSS v3.2 lists 14 Requirements, which include:
- Requirement 1: Avoid retention of cardholder elements, including:
- Full track data
- Card verification values (e.g., CAV2, CID, CVC2, CVV2)
- Pin block data
- Requirement 2: Protect stored cardholder data.
- Requirement 3: Secure authentication processes.
- Requirement 4: Log activity within payment applications.
- Requirement 5: Develop payment application security.
- Requirement 6: Secure wireless cardholder data transmission.
- Requirement 7: Test and update payment application security to address vulnerabilities.
- Requirement 8: Implement secure networks.
- Requirement 9: Avoid storing cardholder data to internet-connected servers.
- Requirement 10: Secure remote access to payment applications.
- Requirement 11: Encrypt transmission of sensitive traffic over public networks.
- Requirement 12: Secure access to non-administrative consoles.
- Requirement 13: Implement PA-DSS guidelines for customers, resellers, and integrators.
- Requirement 14: Establish defined responsibilities for personnel and train personnel, customers, resellers, and integrators in PA-DSS implementation.
Implementing the guidelines stipulated by the PA DSS Requirements is essential for protecting payment applications from breach risks and can help with AOC PCI compliance reporting, especially for service providers.
Working with a QSA
When submitting AOC Attestation of Compliance reports, you must work with a QSA to address your organization’s specific AOC PCI compliance goals. The QSA fills out the AOC and must be knowledgeable about PCI compliance to help minimize risks to your organization’s sensitive data security.
Considerations for choosing a QSA
Some of the critical factors to consider when choosing a QSA to help complete AOC PCI compliance reports include:
- Gap assessment capability – A QSA plays a critical role in assessing vulnerabilities and gaps in your PCI data security and can advise on strategies for remediation. Specifically, a QSA should help you determine best practices for:
- Gap assessment (e.g., security configurations and architecture)
- Vulnerability remediation (e.g., penetration testing, patch management, incident response protocols)
- Understanding of security needs – Each organization has specific PCI security goals and needs. A QSA must understand your organization’s critical needs, especially those regarding:
- Business classification (e.g., merchant, service provider)
- PCI Level
- Size of organization
- Third-party transactions (e.g., level of outsourcing, services outsourced)
- Track record of assessment – It also helps to review your QSA’s track record for factors including:
- Experience providing assessments
- Previous remediations by the PCI SSC
Working with an experienced QSA will help you achieve AOC PCI compliance and protect your organization’s critical assets.
Achieve Effective AOC PCI Compliance Reporting
The security of sensitive PCI data is critical to achieving AOC PCI compliance and protecting against data breaches, which have significant financial, legal, and reputational consequences.
Working with a leading QSA will help identify gaps in your organization’s PCI data security, provide appropriate remediation measures, and simplify the submission of PCI DSS AOC reports. Contact RSI Security today to learn more.
Download Our PCI DSS Checklist
Assess where your organization currently stands with being PCI DSS compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.