Compliance with the Payment Card Industry Data Security Standard (PCI DSS) can be challenging for many retailers and other businesses that process payment card transactions. So sometimes the cynical question arises: how bad could non-compliance with PCI-DSS be? 

Pretty bad, actually. 

Any company that processes, stores, or transmits credit card information must comply with the PCI DSS. If not, your payment processor can take action. For instance, in 2010 Heartland Payment Systems agreed to pay Visa cardholders $60 million for a data breach Heartland had suffered. More recently, in 2022 convenience store chain Wawa had to shell out $8 million because of a data breach that compromised sensitive information across all Wawa stores.

One important step in achieving PCI compliance is the Attestation of Compliance, typically known as the AoC. In this guide we’ll delve deeper into how getting an AoC can help you save money and assure compliance.

What Is a PCI Attestation of Compliance?

A PCI DSS Attestation of Compliance (AoC) is a document that declares a merchant’s compliance status with the PCI DSS. It validates the company’s adherence to PCI DSS, an information security standard for organizations dealing with credit cards issued by major card brands.

Who Needs an Attestation of Compliance?

Any business managing cardholder data must obtain an Attestation of Compliance (AoC) by completing a validation assessment with a Qualified Security Assessor (QSA). The AoC proves compliance with the 12 data security standards of the PCI DSS. 

Merchants aren’t required by law to adopt PCI standards. Rather, a consortium of major credit card brands known as the Payment Card Industry Security Standards Council (PCI SSC) developed the PCI DSS standard, and the consortium requires PCI DSS compliance if your business wants to accept and process payment card transactions. The bottom line is that if your business wants to accept credit cards, you must implement the PCI DSS standard or the credit card brands won’t do business with you. 

That said, the standard does establish different tiers of compliance, depending on the size of your business and the number of credit card transactions you process. The larger your operation, the more rigorous compliance standards you must meet. 

Merchant and service provider levels

Merchants and service providers are classified into levels based on the number of transactions processed in a given year. The levels differ slightly by credit card brand, but assessment requirements for each level are consistent. Generally, the greater number of transactions processed by a merchant or service provider, the more stringent the assessment criteria and methodology.

There are four compliance levels for merchants and two for service providers.  

How Long Is an Attestation of Compliance Valid?

Compliance begins after the qualified security auditor finishes a successful audit of your program and gives you the Attestation of Compliance. The AoC is then valid for one year from the day the auditor signs it.

How often should an attestation of compliance be submitted?

Organizations should send their AoC documents annually to their credit card acquirer, reaffirming their ongoing commitment to PCI DSS compliance standards.

How Do I Get an Attestation of Compliance?

Here’s a step-by-step process to obtain your AoC:

Step 1: Comply With PCI DSS standards

Create a secure network for cardholder data input and implement robust security measures to safeguard it. You must also enforce strict access controls for credit card data protection and maintain comprehensive information security policies, among other PCI DSS obligations.

Step 2: Determine compliance level and assessment type

Once you’re confident in your compliance status, determine your PCI compliance level and prepare for the assessment conducted by the QSA. 

If your organization falls into Merchant Levels 3 or 4 (processing fewer than 1 million transactions per year), you only need to complete a Self-Assessment Questionnaire (SAQ) for review by a QSA, rather than have a full audit from the QSA directly. (Note that there are various PCI SAQ types, so you should choose the one that fits your organization the best.) 

For organizations classified as PCI compliance Levels 1 or 2, an SAQ and/or a QSA audit may be required.

Step 3: Schedule and complete the assessment

The SAQ review can be completed in person or virtually, depending on your QSA’s preferences. If, based on your SAQ, the QSA confirms your compliance with PCI DSS, he or she will then issue your AoC. 

For organizations falling under higher compliance levels and requiring a QSA audit, the QSA will assess your security posture, systems, and overall compliance with PCI DSS. If your organization is PCI-compliant following this evaluation, you’ll receive your AoC (and likely a separate document, a “Report on Compliance,” as well).

ZenGRC Excels at Compliance Management

PCI compliance is an endeavor with many moving parts, so managing the project with spreadsheets and other manual processes is a fool’s errand; too many important details may be overlooked or completed incorrectly. You need a better solution — so choose ZenGRC over spreadsheets for efficient evidence and audit management across compliance frameworks. 

ZenGRC has user-friendly compliance, risk, and workflow management software preloaded with common standards such as PCI, HIPAA, and SOC; this allows simultaneous compliance management, since you’ll probably be striving for compliance with PCI and other regulations at the same time. ZenGRC is a centralized source of truth, assuring constant compliance and PCI audit readiness, complete with revision-controlled policies, intuitive workflow features, and insightful reporting.

Get a demo to experience how ZenGRC streamlines compliance and vulnerability management.