The PCI Report on Compliance (ROC) and the Report on Compliance (ROC) are two essential documents in assuring the safety of cardholder data in the arena of data security and compliance. While both are related to the Payment Card Industry Data Security Standard (PCI DSS), they serve different merchant and service provider groups. The PCI ROC is a comprehensive examination designed to evaluate a company’s security controls targeted at protecting cardholder data. It rigorously evaluates conformity to all 12 PCI DSS rules, providing light on any problems detected during the assessment process. It is worth noting that not every merchant or service provider is required to undertake a ROC, implying that there is some leeway in the compliance landscape.

The ROC, on the other hand, is a required form intended exclusively for Level 1 Visa merchants undertaking a Payment Card Industry Data Security Standard audit. Level 1 merchants, defined as those who conduct more than 6 million Visa transactions each year, are required to complete this report. Additionally, Level 2 merchants who handle 1 million to 6 million transactions per year may be required to prepare a ROC. The primary goal of these reports is to determine and validate compliance with the PCI DSS, a set of standards developed collectively by major card issuers such as American Express, Discover, Mastercard, and Visa. These standards are critical in strengthening policies and procedures to protect cardholder data against fraudulent activities and other potential misuses of personal information, as well as in improving the security of card-based transactions.

It is important to note that the Payment Card Industry Data Security Standard works in tandem with other industry standards such as ISO 27000 and the National Institute of Standards and Technology (NIST) Special Publication 800-53. In the ever-changing landscape of data protection, this collaborative approach offers a multifaceted and effective defense against security threats. Finally, both the PCI ROC and the ROC help to provide a secure environment for cardholder data, albeit with different foci and applicability depending on the nature and scale of the merchant’s operations.


Ensuring Payment Card Industry Data Security Standard compliance requires a complex strategy based on the merchant’s level and potential data breach history. The Report on Compliance (ROC), which is required for Level 1 merchants and service providers, as well as any company that has experienced a data breach involving cardholder data, is an important document in this process. Level 2 merchants may also require a ROC, depending on the terms of credit card brands such as Visa, Mastercard, or Discover.

In contrast, Level 2, 3, and 4 merchants and service providers often navigate compliance by completing a self-assessment questionnaire (SAQ). It is critical to determine your organization’s unique PCI compliance level, as this designation defines the sort of evaluation or questionnaire required to demonstrate adherence to security requirements.

While the yearly ROC or SAQ serves as a comprehensive compliance review, firms should not forget the need for quarterly external inspections conducted by approved scanning vendors (ASVs). These ASVs perform vulnerability scans to assess the security of an organization’s externally facing networks and systems. The PCI compliance level determines the frequency and scope of these scans, with Level 1 merchants and service providers voluntarily undergoing both ROC and quarterly external ASV scans.

Here’s a simplified explanation of the PCI compliance validation levels and the requirements that go with them

  • PCI Level 1 Merchants: ROC and quarterly external ASV scans
  • PCI Level 2 Merchants: ROC or SAQ (credit card brand-dependent) and quarterly external ASV scans
  • PCI Level 3 Merchants: SAQ and quarterly external ASV scans
  • PCI Level 4 Merchants: SAQ and quarterly external ASV scans
  • PCI Level 1 Service Providers: ROC and quarterly external ASV scans
  • PCI Level 2 Service Providers: SAQ and quarterly external ASV scans

This systematic, layered approach ensures that businesses tailor their compliance efforts to their operational context, establishing a robust and adaptive security framework in the ever-changing data protection world.


The PCI Security Standards Council (SSC) provides a 200+ page templated report known as the ROC. Although the precise contents of this report may differ based on the size, complexity, and assessment methodology of the Qualified Security Assessor (QSA) of the company, a conventional ROC usually includes the following essential elements:

1. Executive Summary: This segment provides an overview of the report’s findings, particularly focusing on aspects related to the security of cardholder data.

2.  Scope of the Report: This section clarifies the boundaries of the compliance officer’s review, explicitly stating what aspects were scrutinized and what elements were excluded from the assessment.

3.  Review of the Compliance Process: Within this part, the compliance process is thoroughly examined. It sheds light on the organization’s procedures and processes employed to meet the stipulated requirements, offering insights into their functionality.

4.  Summary of Findings: A critical component of the ROC, this section evaluates the effectiveness of the processes. It articulates the strengths, weaknesses, and identified risks and provides an overall summary of the results derived from the compliance assessment.

5.  Next Steps: Offering practical guidance, this section outlines recommendations for the organization to enhance its compliance in the future. It addresses any shortcomings identified during the assessment, providing a roadmap for improvement.

Essentially, the ROC functions as an elaborate and customized record that captures every detail of an organization’s compliance with PCI DSS rules. In addition to highlighting the state of compliance, it is a great tool for continual enhancement and risk reduction.



When a Qualified Security Assessor (QSA) conducts a ROC assessment, it involves a thorough on-site inspection that explores an organization’s security policies, procedures, and controls related to the handling of cardholder data. Using an ROC reporting form, the QSA compiles its findings, which include documentation and controls that were examined during the audit. The QSA notifies the company’s purchasing bank of the results after the evaluation. Payment brands validate the ROC once it is accepted to make sure it is accurate and compliant. This painstaking procedure guarantees a thorough assessment of security measures and helps to preserve the accuracy of cardholder data handling procedures. 

The process of completing your PCI ROC can be facilitated by following these six steps.

Step 1. Find a QSA: To properly begin the PCI ROC process, it is critical to find a credible and qualified Qualified Security Assessor (QSA). A flawless evaluation requires effective collaboration with the designated QSA. Determine a QSA’s suitability for your organization by looking for relevant industry experience and size compatibility. Request specific proposals from possible QSAs, learn about their evaluation procedure, and evaluate their reputation using client references, online reviews, and testimonies. In addition, speak with potential QSAs to discuss your organization’s specific needs and to understand their assessment approach. This rigorous selection approach lays the groundwork for a fruitful PCI ROC assessment.

Step 2: Provide Documentation to Your QSA: After procuring the services of a Qualified Security Assessor (QSA), the next critical step is gathering and distributing critical assessment documentation. Security policies, data flow maps, network and payment app details, security controls documentation, user access management policies, incident response plans, evidence of security awareness training, recent security assessment reports, and previous ROC reports, if applicable, are all required documents. Understanding unique requirements necessitates close coordination with the QSA. A proactive approach to document preparation and organization facilitates a simpler and more effective ROC assessment process, ensuring a full review of PCI DSS compliance.

Step 3: The QSA Conducts Their Evaluation: The QSA performs an intensive assessment, including an audit and a full control review, testing the 12 PCI compliance standards. Interviews, evidence collection, network scanning, and testing of security features such as encryption and access management are all part of this on-site audit. The QSA notes their findings, noting any instances of noncompliance or areas for development, contributing to an accurate evaluation of the organization’s adherence to PCI requirements and strengthening data security safeguards.

Step 4:  The QSA completes the Report on Compliance (ROC): Following the assessment, the Qualified Security Assessor (QSA) compiles their findings into a detailed ROC, which provides a thorough understanding of the organization’s PCI compliance status as well as supporting evidence and suggestions. The findings summary includes the following outcomes: “In Compliance” means that all requirements were satisfied as expected, whereas “In Compliance with Remediation” means that any initial non-compliance was corrected before the assessment was completed. “Not Applicable” indicates that some rules do not apply to the environment of the organization. In contrast, “Not in Compliance” indicates that some or all standards remain unfulfilled, necessitating continued implementation or additional testing. Finally, “In Compliance with Compensating Control” presents examples in which compliance was achieved by using a compensating control.

Step 5: Address and resolve any compliance gaps identified in the ROC: If your Qualified Security Assessor (QSA) discovers gaps or instances of non-compliance (“Not in Place”) during the assessment, it is critical to develop a remediation plan outlining the activities required to close each identified gap. Collaboration with the QSA is required to validate the effectiveness of your repair efforts. Certain gaps may demand retesting or additional evaluations to ensure their successful closure. This collaborative approach assures a thorough and effective remedial procedure that adheres to best practices in compliance maintenance.

Step 6: The QSA finalizes an Attestation of Compliance (AOC): The Qualified Security Assessor (QSA) completes an attestation of compliance (AOC) after addressing and correcting detected weaknesses. This critical document confirms that the corporation has undergone a thorough examination and is presently in conformity with PCI rules. Following that, the QSA provides the AOC as well as the ROC to the organization’s acquiring bank and the relevant payment card companies. This stage is critical for verifying and validating the organization’s compliance status, providing a transparent and recorded assurance of PCI compliance.


Transaction volume and specified conditions determine PCI DSS compliance levels.

  • Level 1: This includes merchants who handle more than 6 million transactions each year or those who have experienced a data breach. Credit card issuers can raise any merchant to level 1 at their discretion. Furthermore, service providers operate under PCI Compliance Level 1. A service provider is an entity that manages cardholder data on behalf of another firm or provides services that affect cardholder data security. Providers of managed firewalls, intrusion detection and prevention systems, data deletion services, and web hosting are a few examples. The criteria for level 1 service providers differ slightly from those for level 1 merchants, with any service provider handling more than 300,000 credit card transactions per year being level 1.
  • Level 2: This applies to merchants who handle 1 to 6 million transactions per year across all channels. PCI compliance Level 2 also applies to service providers who perform fewer than 300,000 credit card transactions each year.
  • Level 3: This applies to merchants who conduct between 20,000 and 1 million e-commerce transactions each year.
  • Level 4: Designed for businesses that conduct less than 20,000 e-commerce transactions per year or up to 1 million regular transactions per year.

Self-Assessment Questionnaires (SAQs) are used as reporting tools for lower-level merchants and service providers during the evaluation process. The type of credit card transaction, like card-not-present versus card-present, or entirely outsourced versus partially outsourced authorizations, determines the specific SAQ. It offers a formal framework for self-assessment against PCI rules.


Merchants typically expect a PCI QSA assessment to last between 3 and 4 weeks. However, it is critical to recognize each company’s uniqueness, which means that the time required for the evaluation process, documentation of findings, and compilation of the ROC (Report on Compliance) report can vary significantly depending on the specific characteristics and complexities of each organization. The difference in the timing for completing the PCI QSA assessment is due to factors such as the size of the firm, the complexity of its infrastructure, and the scope of its cardholder data environment. When evaluating the timing of this compliance assessment, flexibility and a bespoke approach are crucial to ensuring a full and comprehensive review aligned with the specific characteristics of each organization.


In addition to penalties and fines, noncompliance with PCI regulations may result in an inability to conduct credit card transactions. As a result, companies handling payment card data must strictly comply with these guidelines. It becomes crucial to create a remediation plan targeted at addressing and closing any security holes found during the assessment process if your qualified security assessor (QSA) finds any gaps or non-compliance. For the purpose of correcting any non-compliance noted in the Report on Compliance (ROC), the QSA may offer a 30- to 45-day timeframe.

Prioritize actions according to their importance and possible influence on security in order to handle the remediation process efficiently. For PCI compliance, think about using the PCI SSC Prioritized Approach, a thorough six-step procedure that directs the execution of standards according to their priority levels.

It’s critical to continue monitoring and reviewing your organization’s security procedures after restoration. This guarantees continuous compliance and permits prompt modifications to handle any upcoming shifts or advancements in the constantly changing field of payment card data security.


How often should a company undergo a PCI RoC assessment?

Companies are typically required to undergo a PCI ROC assessment annually. The company’s PCI DSS compliance level influences the frequency, requiring Level 1 merchants to undergo a yearly assessment, while Level 2 merchants may have flexibility based on credit card brand requirements.

What is the role of a Qualified Security Assessor (QSA) in the PCI RoC process?

A Qualified Security Assessor (QSA) conducts comprehensive PCI RoC assessments, involving on-site inspections and evaluations of security measures related to cardholder data. Findings are compiled into a detailed Report on Compliance (ROC).

Why is it important to monitor and review security procedures after completing the PCI RoC assessment?

Continuous monitoring and reviewing of security procedures are vital for maintaining PCI compliance. This ensures that the organization stays in line with the PCI DSS rules and can promptly adapt to any changes or advancements in the field of payment card data security.

Who is required to undertake a PCI RoC, and what are the criteria for different PCI DSS compliance levels?

PCI RoC obligation varies by PCI DSS compliance level. Level 1 merchants must undergo a RoC, while Levels 2-4 often complete a self-assessment questionnaire (SAQ). Understanding the criteria is crucial for effective compliance.

What is the significance of PCI DSS compliance levels, and how do they affect the assessment process?

PCI DSS compliance levels, influenced by transaction volume and specific conditions, dictate the assessment type. Understanding levels is crucial for tailored compliance, determining if a RoC, self-assessment questionnaire (SAQ), or quarterly ASV inspections are needed.

Get In Touch 

have a question? let us get back to you.