According to Verizon’s 2022 Payment Security Report, only 43% of businesses achieved complete compliance during their PCI DSS compliance assessment. As a result, over half of companies and the data they handle were vulnerable to data breaches that year.

PCI compliance is required for any entity that processes credit or debit card data or accepts credit or debit card payments. This includes completing a PCI Report on Compliance (ROC) for some organizations. 

We’ll cover all you need to know about a PCI ROC in this post, including who needs one, how the process works, and what to do if you fail it.

What is PCI DSS?

The PCI DSS is an information security standard for organizations that handle credit cards from the major card brands. The PCI DSS requirements ensure that all businesses that process, store, or transmit credit card information maintain secure environments to protect cardholder data from breach, theft, and unauthorized use.

Cardholder data includes the full primary account number, the name of the cardholder, the card’s security code, and the credit card’s expiration date. 

The PCI Security Standards Council (PCI SSC) developed the PCI standards for compliance. The PCI SSC is an independent body created by Visa, Mastercard, American Express, Discover, and JCB, a credit card company based in Japan. 

While merchants are not mandated by law or regulation to adopt PCI standards, the major card brands require compliance via the banks and other organizations that process payment card transactions. 

PCI Compliance Levels

There are four levels of PCI DSS compliance:

Level 1: Any merchant processing over 6 million transactions per year OR that has suffered a data breach. Credit card companies can upgrade any merchant to Level 1 at their discretion.  Service providers also have a PCI compliance level 1.  A service provider is an enterprise that processes, stores, or transmits cardholder data on behalf of another business or provides services that could affect cardholder data security.  Some examples of service providers are those providing managed firewalls, intrusion detection or prevention systems, data destruction services, and web hosting providers.  The criteria for Level 1 service providers are slightly different than for Level 1 merchants in that any service provider that stores, processes, or transmits more than 300,000 credit card transactions annually is considered Level 1.  

Level 2: Any merchant processing between 1 and 6 million transactions annually across all channels.  Service providers also have a PCI compliance level 2. Any service provider that processes, stores, or transmits fewer than 300,000 credit card transactions annually.  

Level 3: Any merchant processing between 20,000 and 1 million e-commerce transactions annually.

Level 4: Any merchant processing less than 20,000 e-commerce transactions annually or processing up to 1 million regular transactions annually.

The Self-Assessment Questionnaires (SAQ) are a reporting tool used by lower-level merchants and service providers to perform a self-assessment of their compliance with PCI requirements. There are multiple SAQs available, with the specific SAQ being used determined by how customers perform credit card transactions (i.e., card not present vs. card present, fully outsourced authorizations vs. partially outsourced authorizations).

What is a PCI RoC (Report on Compliance)?

A Payment Card Industry Data Security Standard ROC (Report on Compliance) is a report prepared by either a Qualified Security Assessor (QSA) or an Internal Security Assessor (ISA) who has performed an on-site assessment of the merchant based on the requirements in the PCI-DSS. The report contains a detailed description of the assessment results of the merchant’s controls, along with any deficiencies discovered during the assessment.

Assessments result in a Report on Compliance (ROC), Attestation of Compliance (AOC), or both. The ROC and AOC are provided annually to the merchant’s credit card acquiring bank to prove the merchant’s compliance with PCI DSS requirements. The method used to demonstrate compliance depends on the merchant’s compliance level and the requirements of the specific card brand.

Who Needs a PCI DSS RoC?

Level 1 merchants–those that process more than 6 million payment card transactions per year or have had a data breach–will most likely need a ROC. But every merchant that processes payment cards, no matter how few transactions there are, must show compliance with PCI DSS.

Depending on credit card brand guidelines, ROCs are necessary for Level 1 merchants, service providers, and potentially Level 2 businesses. Merchants and service providers that do not require a RoC to comply with PCI must fill out an SAQ.

Key Elements of the PCI ROC Process

QSAs and ISAs use the ROC Reporting Template to summarize findings that detail the controls in place and evidence presented during the audit stage.

After completing a ROC, the assessor will offer their findings to the firm’s acquiring bank. If the acquirer approves the ROC, it is forwarded to the payment brands for verification. 

Payment brands determine the frequency of audits, but in general, a Level 1 merchant or service provider must undergo a thorough audit and complete a ROC once a year.

A ROC is split into two parts: an assessment overview and a summary of findings. 

  • Executive summary: This section provides an overview of the report results concerning cardholder data security.
  • Description of the scope and approach: The network segmentation, payment applications, the PCI DSS version utilized for the evaluation, and the timeframe are detailed.
  • Details regarding the environment under consideration: Includes a schematic of each network segment, an outline of the Cardholder Data Environment (CDE), service providers, audit participants, and related business paperwork.
  • Contact information and report date: This section includes contact information for the merchant and assessor and the report date.
  • Quarterly scan results: An overview of the four most recent quarterly scan findings.
  • Results and observations: A summary of any results that do not fit within the standard RoC framework, including information about compensatory controls.

How Long Does It Take to Complete a PCI ROC Assessment?

A PCI QSA examination should take between 3 and 4 weeks, according to merchants. Remember that each company is unique. As a result, the time required to conduct the evaluations, document the findings, and write the ROC report will differ.

Understanding your PCI RoC Results

For PCI DSS standards, there are five possible assessment findings:

  • In place: Testing has been completed, and all requirements have been satisfied.
  • In place with remediation: The condition was not satisfied at some time throughout the assessment, but it was remedied before the assessment was completed. 
  • Not applicable: The organization is exempt from the obligation.
  • Not tested: The requirement was not assessed or evaluated in any way.
  • Not in place: Some or all requirements have not been satisfied, are being implemented, or require more testing.

If open issues or concerns are to be resolved later, an organization is not deemed compliant. All standards must be completed to be declared PCI compliant since validation is all or nothing.

Stay Prepared for Your PCI ROC Evaluation with ZenGRC

Data and cybersecurity must be integrated into all organizational activities regardless of regulatory issues. PCI DSS standards are not intended to burden enterprises. Instead, they are designed to assist with the security of networks and online applications to safeguard us from hackers and the consequences of a data breach.

Instead of managing your compliance needs using spreadsheets, use ZenGRC to automate evidence and audit management across all your compliance frameworks. ZenGRC’s compliance, risk, and workflow management software is simple.

ZenGRC has various compliance frameworks and standards for easy adoption, such as PCI, HIPAA, and SOC.

Compliance management has never been easier thanks to One-to-Many control mapping, which accelerates mapping internal controls to various standards so that you can manage PCI DSS compliance alongside other frameworks.

ZenGRC also acts as a single point of truth, ensuring your organization is constantly compliant and audit-ready. Policies and procedures are versioned and easily accessible in the document repository. Workflow management tools include simple monitoring, automatic reminders, and audit trails. Insightful data and dashboards highlight gaps and high-risk areas.

Request a Demo to explore how ZenGRC can help you with compliance and vulnerability management.

Recommended