A PCI DSS (Payment Card Industry Data Security Standard) Attestation of Compliance (AoC) is a document that serves as a declaration of the merchant’s compliance status with the PCI DSS. The AoC must be completed by a Qualified Security Assessor (QSA) or the merchant if the merchant’s internal audit performs validation.

Assessments result in either a Report on Compliance (RoC), Attestation of Compliance (AoC), or both. The RoC and/or AoC are provided to the merchant’s credit card acquirer annually to prove its compliance with PCI requirements. The proof of compliance method is determined by the merchant level and the requirements of the specific card brand.

Every merchant and service provider that handles credit card data must have an assessment performed to show that they adhere to the 12 data security standards of the PCI DSS.  The PCI DSS is an information security standard for organizations that handle credit cards from the major card brands. The PCI DSS requirements ensure that all businesses that process, store, or transmit payment card information maintain secure environments.  Under PCI DSS requirements, any merchant using a service provider must monitor the PCI compliance of that vendor.

The PCI Security Standards Council (PCI SSC) developed the PCI standards for compliance. The PCI SSC is an independent body created by Visa, Mastercard, American Express, Discover, and JCB, a credit card company based in Japan. 

The PCI Self-Assessment Questionnaires (PCI SAQs) are used by lower-level merchants (with fewer transactions) to perform self-assessments of their compliance. There are multiple SAQs available; specific PCI SAQs are used to determine how customers perform credit card transactions (i.e., card not present vs. card present, fully outsourced authorizations vs. partially outsourced authorizations.) 

While merchants are not mandated by law or regulation to adopt PCI standards, PCI DSS is mandated by the Payment Card Industry SSC. The requirements include establishing data security policies and removing credit card data from payment terminals and processing systems.

Merchant and Service Provider Levels

Merchants and service providers are classified into levels based on the number of transactions processed in a given year. The levels differ slightly by credit card brand, but assessment requirements for each level are consistent. Generally, the greater number of transactions processed by a merchant or service provider means that the assessment criteria and methodology are more stringent.

There are four compliance levels for merchants and two for service providers.