PCI Report on Compliance (RoC): A Practical Guide

A PCI Report on Compliance (RoC) is a formal document produced after a comprehensive review of an organization’s adherence to the Payment Card Industry Data Security Standards (PCI DSS). It assesses the security measures that a business implements to protect cardholder data. The RoC is essential for verifying the rigorous application of PCI DSS standards, ensuring that all transactions are secure and that customer data is protected against breaches.

Organizations handling large volumes of transactions (mainly Level 1 merchants with over 6 million transactions per year) must validate their compliance annually through an RoC. This process involves a detailed examination by a Qualified Security Assessor (QSA) who evaluates the organization’s security policies, procedures, and technical systems. The result is a document that confirms areas of compliance and also identifies areas for improvement, providing guidance for remediation.
To get an idea what an RoC looks like, see the official PCI Report on Compliance template.

Recommended Reading: What Is SIEM, Why Is It Important and 13 Key Capabilities.

Who Needs a PCI DSS RoC? 

Not every business requires a PCI DSS Report on Compliance. It is primarily aimed at merchants and service providers processing a significant volume of credit card transactions, typically more than 6 million transactions per year. These entities fall into PCI DSS Merchant Level 1, necessitating an annual RoC to prove compliance.

Some Level 2 merchants (processing between 1-6 million transactions per year) are also required to complete a ROC, depending on the specific requirements of the credit card brand (such as Visa or Mastercard).

In some cases, instead of using a QSA, a merchant may have one or more employees trained and certified as Internal Security Assessors (ISAs). ISAs can organize and perform an internal assessment and complete an ROC. 

Level 2 merchants who are not required to submit a RoC, as well as all Level 3 and 4 merchants, instead file a Self-Assessment Questionnaire (SAQ). This substitutes for a formal audit and is an easier way to achieve PCI compliance for smaller organizations.

Related content: Read our guide to PCI compliance levels

What Does a Report on Compliance Include? 

Here are the high-level sections that comprise a RoC and their content.

Contact Information and Report Date

The report includes essential contact information for the parties responsible for PCI DSS compliance within the organization, including the QSA. This facilitates easy communication for clarifications, follow-ups, or audits. This section also timestamps the assessment, which is crucial for maintaining annual compliance and tracking improvements or regressions over time.

Executive Summary

The executive summary of a PCI DSS RoC provides a high-level overview of the assessment findings. It offers insights into the organization’s commitment to PCI DSS standards and the scope of the audit. This section is intended for stakeholders who need a quick understanding of the company’s compliance status without delving into technical details.

This summary typically includes a brief description of the organization’s payment card operations and an outline of the assessment’s objectives, methods, and results. It highlights the key findings, allowing stakeholders to grasp the overall health of the organization’s data security practices at a glance.

Description of Scope and Approach Taken

The scope and approach section clarifies the boundaries of the PCI DSS assessment, detailing which systems, networks, and processes were examined. It ensures that all relevant areas involved in storing, processing, or transmitting cardholder data were included in the review. By defining the scope, the report prevents any misunderstanding regarding the assessment’s coverage.

Additionally, this section explains the methodology used by the QSA to evaluate compliance. It outlines the tests conducted, the standards applied, and the rationale behind the assessment strategy. This transparency helps organizations understand the thoroughness of the review process and the basis for the findings and recommendations.

Details About the Reviewed Environment

This part of the RoC delves into the specifics of the environment assessed, including the hardware, software, and network configurations involved in handling cardholder data. It provides a detailed inventory of the systems evaluated and their role in the organization’s payment card operations. This detailed description is crucial for understanding the environment’s complexity and the security measures in place.

The section also discusses the data flows, showing how cardholder information moves through the organization’s systems. This insight is essential for identifying potential vulnerabilities and ensuring all points of data handling meet PCI DSS requirements.

Quarterly Scan Results

Quarterly scan results are part of the ongoing compliance process, providing snapshots of the organization’s vulnerability status between annual assessments. These scans identify weaknesses that could be exploited by cyber threats. The RoC documents these results, summarizing the actions taken to address any vulnerabilities and ensure continuous compliance.

Reporting these scans in the RoC underscores an organization’s commitment to maintaining secure environments, illustrating a proactive approach to vulnerability management and compliance throughout the year.

Findings and Observations

Findings and observations give a detailed account of the assessment results, highlighting areas of compliance and concern. This section is critical for understanding the specifics of how the organization meets or fails to meet PCI DSS criteria. It provides a basis for the overall compliance decision.

Findings often include recommendations for remediation, offering a roadmap for addressing any compliance gaps. Observations might highlight areas that are compliant but could benefit from enhanced security practices, aiming for a security posture that exceeds baseline requirements.

Tips from the expert

Steve Moore is Vice President and Chief Security Strategist at Exabeam, helping drive solutions for threat detection and advising customers on security programs and breach response. He is the host of the “The New CISO Podcast,” a Forbes Tech Council member, and Co-founder of TEN18 at Exabeam.

In my experience, here are tips that can enhance your approach to achieving a successful PCI Report on Compliance (RoC) and strengthen overall compliance efforts:

Automate evidence collection
Implement tools like SIEMs, log management systems, and automated compliance platforms to gather and organize audit evidence efficiently. This reduces the manual burden and ensures that all documentation is readily available.

Define the PCI scope meticulously upfront
Clearly define your Cardholder Data Environment (CDE) to ensure the QSA assessment doesn’t include systems unnecessarily. Use segmentation techniques to isolate the CDE and reduce the compliance burden.

Establish a year-round compliance program
PCI compliance isn’t a one-time task; maintain a proactive compliance strategy. Continuously monitor, review, and update processes, systems, and policies to ensure ongoing alignment with PCI DSS standards.

Use compensating controls strategically
If a specific PCI requirement is technically infeasible, implement robust compensating controls. Ensure these controls are well-documented and approved by the QSA to meet compliance requirements.

Incorporate regular readiness assessments
Conduct internal mock RoCs or pre-audit assessments before the QSA’s formal review. These assessments help identify gaps and allow remediation without the pressure of the official audit timeline.

The PCI RoC Process 

Find a QSA

The first step in the PCI RoC process is selecting a Qualified Security Assessor (QSA). The QSA must be certified by the PCI Security Standards Council and have relevant experience in the industry. Choosing an experienced, reputable QSA is crucial as they guide the organization through the compliance process, ensuring a thorough and accurate assessment.

Share Documentation With Your QSA

After selecting a QSA, the next step involves sharing extensive documentation about the organization’s payment card processing environment. This includes network diagrams, data flow maps, policies, procedures, and any previous audit reports.

This phase ensures the QSA understands the scope of the organization’s operations and security measures. It enables a focused assessment, where the QSA can efficiently identify areas requiring attention, thereby streamlining the subsequent steps of the RoC process.

QSA Conducts Their Assessment

With the necessary documentation in hand, the QSA begins the assessment phase. This involves on-site visits, interviews with key personnel, and technical testing. The goal is to examine the organization’s compliance with each of the PCI DSS requirements in detail. This phase can be intensive, demanding cooperation between the organization and the QSA.

The assessment phase is critical for identifying compliance gaps and areas of vulnerability within the organization’s cardholder data environment. The QSA’s findings form the basis for the RoC, outlining the organization’s adherence to PCI DSS standards.

QSA Fills Out the RoC

Upon completing the assessment, the QSA compiles their findings into the Report on Compliance. The QSA’s role in filling out the RoC is to provide an unbiased, detailed account of the organization’s security posture regarding PCI DSS requirements. This document is critical for both the organization and its partners, proving compliance and guiding future security efforts.

Remediate Any Compliance Gaps Described in the ROC

If the RoC identifies compliance gaps, the organization must address these issues promptly. Remediation involves correcting deficiencies noted by the QSA to meet PCI DSS standards. The organization develops a remediation plan, often with guidance from the QSA, outlining the steps to address each gap. Progress is typically shared with the QSA, ensuring that the remediation efforts are on track and meet the required standards.

QSA Completes an Attestation of Compliance (AOC)

After the organization addresses all compliance gaps, the QSA issues an Attestation of Compliance (AOC). This document is a formal declaration that the organization meets all applicable PCI DSS requirements, based on the RoC findings and any subsequent remediation. The AOC is crucial for demonstrating compliance to acquiring banks, payment brands, and other stakeholders.

The completion of the AOC marks the end of the PCI RoC process for the current cycle. However, organizations must continuously maintain and improve their security measures, readying themselves for the next assessment cycle.

Understanding Your PCI RoC Results 

Let’s review the different outcomes of an RoC for each area of compliance and what they mean for your organization.

In Place

“In Place” indicates that the organization meets specific PCI DSS requirements without exception. It shows a complete and effective implementation of required security controls. For stakeholders, this status conveys confidence in the organization’s security posture. Being “In Place” is the goal for all assessed areas, as it signifies full compliance with the PCI DSS.

In Place with Remediation

“In Place with Remediation” means that while the necessary controls are mostly established, specific issues were identified requiring corrective action. This status acknowledges the organization’s efforts and compliance intentions but stresses the need for additional efforts to fully meet PCI DSS requirements.

Organizations with this status are on the right track but must prioritize addressing the identified gaps. Timely remediation minimizes risks to cardholder data and avoids compliance risk.

Not Applicable

“Not Applicable” status is assigned to PCI DSS requirements that do not apply to the organization’s specific environment or business model. This determination is made based on the scope of the assessment and the nature of the organization’s operations. It acknowledges that not every requirement is relevant to all entities.

Documenting “Not Applicable” statuses is important for clarity and understanding the organization’s compliance landscape. It helps focus efforts on applicable requirements, ensuring relevant protections are in place.

Not Tested

“Not Tested” indicates areas or controls that were not examined during the assessment for various reasons. This status can arise from scope limitations, assessment constraints, or other factors that prevented the QSA from evaluating certain aspects of the PCI DSS compliance.

Organizations should aim to minimize “Not Tested” findings in future assessments by ensuring comprehensive access and cooperation with the QSA. Addressing these areas can strengthen the overall security posture and compliance status.

Not in Place

“Not in Place” is assigned when the organization fails to meet specific PCI DSS requirements. This serious finding indicates a gap in the security controls necessary to protect cardholder data effectively. It calls for immediate attention and remediation to mitigate risks and achieve compliance.

Organizations with “Not in Place” findings must work diligently to address these deficiencies. Failure to remediate could lead to breaches, financial penalties, and damage to the organization’s reputation.

5 Steps to Recover From a Failed RoC 

When an RoC results in one or more “Not in Place” assessments, organizations must act to achieve or retain PCI compliance status. Here are the steps you can take to recover from a failed audit:

1. Notification

When an organization fails a PCI Report on Compliance (RoC), the first step is to notify all relevant stakeholders. This includes internal leadership, such as the CEO, CFO, and CISO, as well as external parties like the acquiring bank, payment processors, and the PCI Council if necessary. 

Prompt, transparent communication is crucial to managing the situation effectively. It’s important to outline the nature of the compliance failures, potential impacts, and the organization’s commitment to addressing the issues as swiftly and comprehensively as possible.

2. Identify Issues

The next step involves a thorough analysis of the RoC to identify and understand the specific compliance gaps. This requires a detailed review of the “Not in Place” findings within the report, categorizing each issue based on its nature, severity, and the resources required for remediation. 

Engaging with the QSA who conducted the assessment can provide additional insights into the root causes of compliance failures and clarify the steps needed for remediation.

3. Create an ROC Recovery Plan

Developing a recovery plan is critical to regaining compliance. This plan should outline the specific actions needed to address each compliance gap, assign responsibility for each task, and set realistic deadlines. 

Prioritization is key, with immediate focus on high-risk issues that could lead to data breaches or significant operational impacts. The plan should also include measures for enhancing the organization’s overall security posture to prevent future compliance issues.

4. Implement and Test

With the recovery plan in place, the organization must then implement the necessary changes. This could involve updating policies and procedures, enhancing technical controls, and conducting training to ensure all employees understand their roles in maintaining PCI DSS compliance. 

After implementing the changes, rigorous testing is important to verify that each remediation step effectively addresses the identified issues. This may include vulnerability scans, penetration testing, and revisiting documentation to ensure it accurately reflects the new security measures.

5. Reassess

Finally, once the remediation measures have been implemented and tested, the organization should engage a QSA to conduct a reassessment. This reassessment focuses on the previously identified gaps to ensure that all issues have been adequately addressed. 

Achieving a passing RoC on this reassessment demonstrates the organization’s return to full compliance. It’s also an opportunity to review the effectiveness of the overall PCI compliance program and identify any areas for continuous improvement. Continuous monitoring and regular assessments are essential to maintaining compliance and protecting against evolving cyber threats.

PCI DSS Compliance with Exabeam Fusion SIEM

In the end, PCI DSS compliance is all about proving to auditors what you say you do — and Exabeam can help. While DLP, endpoint, vulnerability scanning, network, and identity vendors give you pieces of the puzzle, Exabeam Fusion SIEM helps you put it all together to see a full picture of attack, adding context and risk scoring to events and alerts to show an end-to-end PCI DSS compliance picture.  

Exabeam Fusion SIEM offers reports for your security teams on vulnerabilities discovered on PCI assets. This report looks at vulnerability scan details data produced by firewalls, routers, switches, and any other device that produces vulnerability data. Vulnerability scans of the cardholder data environment expose potential vulnerabilities in networks that could be found and exploited by malicious individuals. Organizations use this report to identify specific high and/or critical vulnerabilities on cardholder systems that need to be fixed.

Fusion SIEM also looks at credit card data, found in motion or at rest from IDS, IPS, and DLP systems to provide visibility into potentially unauthorized transmissions of credit card data over the network or to unauthorized removable storage devices. Customers use this report to identify the source of the transmission so it can be further investigated and fixed. The cardholder data environment should be monitored for unauthorized egress transmission of credit card data using IDS, IPS, and DLP-based technologies. 

From credential anomaly and unusual activity or movement to credit card data access or transmissions, Exabeam offers a clear view of “normal” for any credentials, data movement, and activity, helping streamline your SOC workflow and responses in the event of a compromised or malicious insider as well as detecting lateral movement of malware or ransomware within your ecosystem.