A Payment Card Industry Data Security Standard RoC (Report on Compliance) is a report prepared by either a Qualified Security Assessor (QSA) or Internal Security Assessor (ISA) who has performed an on-site assessment of the merchant based on the requirements in the PCI-DSS. The report contains a detailed description of the results of the assessment of the merchant’s controls, along with any deficiencies discovered during the assessment.

Assessments result in either a Report on Compliance (RoC), Attestation of Compliance (AoC), or both. The RoC and AoC are provided annually to the merchant’s credit card acquiring a bank to prove the merchant’s compliance with PCI DSS requirements. The method used to prove compliance depends on the merchant’s compliance level and the requirements of the specific card brand.

Level 1 merchants–those that process more than 6 million payment card transactions per year or that have had a data breach–are most likely to need a RoC. But every merchant that processes payment cards, no matter how few the transactions, must show compliance with PCI DSS.

What is PCI DSS?

The PCI DSS is an information security standard for organizations that handle credit cards from the major card brands. The PCI DSS requirements ensure that all businesses that process, store, or transmit credit card information maintain secure environments, with the intent of protecting cardholder data from breach, theft, and unauthorized use.

Cardholder data includes the full primary account number, the name of the cardholder, the card’s security code, and the credit card’s expiration date. 

The PCI Security Standards Council (PCI SSC) developed the PCI standards for compliance. The PCI SSC is an independent body created by Visa, Mastercard, American Express, Discover, and JCB, a credit card company based in Japan. 

While merchants are not mandated by law or regulation to adopt PCI standards, the major card brands do require compliance via the banks and other organizations that process payment card transactions. 

PCI Compliance Levels

There are four levels of PCI DSS compliance:

Level 1: Any merchant processing over 6 million transactions per year OR that has suffered a data breach. Credit card companies can upgrade any merchant to Level 1 at their discretion.  Service providers also have a PCI compliance level 1.  A service provider is an enterprise that processes, stores, or transmits cardholder data on behalf of another business, or that provides services that could affect cardholder data security.  Some examples of service providers are those providing managed firewalls, intrusion detection or prevention systems, data destruction services, and web hosting providers.  The criteria for Level 1 service providers are slightly different than for Level 1 merchants in that any service provider that stores, processes, or transmits more than 300,000 credit card transactions annually is considered Level 1.  

Level 2: Any merchant processing between 1 and 6 million transactions annually across all channels.  Service providers also have a PCI compliance level 2. Any service provider that processes, stores, or transmits fewer than 300,000 credit card transactions per year.  

Level 3: Any merchant processing between 20,000 and 1 million e-commerce transactions per year.

Level 4: Any merchant processing less than 20,000 e-commerce transactions annually or any merchant processing up to 1 million regular transactions per year.

The Self-Assessment Questionnaires (SAQ) are a reporting tool used by lower-level merchants and service providers to perform a self-assessment of their compliance with PCI requirements. There are multiple SAQs available, with the specific SAQ being used determined by how customers perform credit card transactions (i.e., card not present vs. card present, fully outsourced authorizations vs. partially outsourced authorizations).