What Is a PCI Attestation of Compliance (AoC)?

A PCI Attestation of Compliance (AoC) is a declaration provided by an organization stating their compliance with the Payment Card Industry Data Security Standard (PCI DSS). An AoC is issued by a qualified assessor, or following a self-assessment of compliance, and serves as proof that the necessary security controls and measures to protect cardholder data are in place. 

Submitting an AoC is the final step on the road to PCI DSS compliance. It includes details of the compliance assessment carried out for the organization, the current compliance status, the assessment methodology, and the current security controls in place. An AoC is valid for one year, after which an organization needs to undergo repeat assessment and certification.

Recommended Reading: What Is SIEM, Why Is It Important and 13 Key Capabilities.

Who Needs an AoC? 

Entities involved in the processing, storage, or transmission of credit card information must provide a PCI AoC. This includes merchants of all sizes, service providers, and other entities that impact the security of payment card transactions. If your operations include handling cardholder data, it is necessary to provide an AoC, allowing you to operate within the PCI DSS framework.

How Does a Company Obtain a PCI AoC?

1. Comply with PCI DSS standards

The organization must understand the requirements of the PCI DSS standard and implement the specified security measures to protect cardholder data. These measures include maintaining a secure network, encrypting cardholder data, and conducting regular security assessments. Companies must thoroughly document these controls, demonstrating their commitment to data security.

2. Determine Your Compliance Level and Assessment Type

The PCI DSS standard defines four merchant levels, each with its own requirements to achieve compliance and obtain an AoC:

• PCI DSS Compliance Level 1: Applies to merchants that process more than 6 million card transactions annually. At this level, merchants must carry out an external audit with a qualified security assessor (QSAs). The auditor then details the findings in a Report on Compliance (RoC). If the merchant passes the RoC, the QSA prepares an Attestation of Compliance.
• PCI DSS Compliance Level 2: Applies to merchants that process between 1-6 million transactions per year. Some of these merchants might require an external audit by a QSA and an RoC, but most can perform an internal assessment and submit a Self Assessment Questionnaire (SAQ). Based on the RoC or SAQ, they can submit an Attestation of Compliance.
• PCI DSS Compliance Level 3: Applies to merchants processing between 20,000 and 1 million transactions each year. These merchants need to submit a SAQ, and based on that, can produce an Attestation of Compliance.
• PCI DSS Compliance Level 4: Applies to any merchant processing less than 20,000 transactions per year. Organizations at this level are mainly faced with meeting the PCI requirements of their bank. They may or may not require an SAQ and AoC form.

3. Submit Questionnaire or Report on Compliance

Following the external audit or internal assessment, the organization will need to submit a Report on Compliance (RoC) or self assessment questionnaire (SAQ), respectively. These assessments evaluate the company’s adherence to PCI DSS standards, with the result being either full compliance or a plan to address deficiencies.

If there are areas where the organization does not comply with PCI DSS requirements, it will need to improve its security measures and repeat the assessment. When all issues are addressed, it can finally submit the Attestation of Compliance (AoC). 

What Is a Qualified Security Assessor (QSA)? 

A Qualified Security Assessor (QSA) is a specialist certified by the PCI Security Standards Council to evaluate organizations against the Payment Card Industry Data Security Standard (PCI DSS). Only merchants at PCI DSS Level 1 (and sometimes Level 2) are required to perform external audits with a QSA.

The certification process for QSAs is stringent, requiring them to demonstrate extensive knowledge and experience in information security. QSAs are responsible for conducting comprehensive assessments that cover an organization’s security measures, policies, and procedures to ensure they align with PCI DSS requirements. 

A QSA audit involves a mix of document review, interviews, and technical tests. Following the assessment, QSAs prepare a Report on Compliance (RoC), detailing their findings and whether the organization meets PCI DSS standards. If all applicable PCI requirements are found to be “In Place”, the QSA will then prepare an Attestation of Compliance (AoC), indicating the organization is PCI DSS compliant.

Tips from the expert

Steve Moore is Vice President and Chief Security Strategist at Exabeam, helping drive solutions for threat detection and advising customers on security programs and breach response. He is the host of the “The New CISO Podcast,” a Forbes Tech Council member, and Co-founder of TEN18 at Exabeam.

In my experience, here are advanced tips for obtaining and maintaining a PCI Attestation of Compliance (AoC) with minimal disruption:

Optimize Scoping with Precision

Clearly define the Cardholder Data Environment (CDE) and isolate it using network segmentation. This minimizes the number of systems in scope and reduces the effort required for assessment and compliance.

Pre-Audit with Internal Assessors

Conduct a detailed internal pre-audit using your Information Security Assessor (ISA) or internal teams. This helps identify gaps, allows remediation before the official audit, and saves time during the QSA review.

Implement Automated Evidence Collection

Use automation tools to collect logs, configurations, and control evidence tied to PCI requirements. This reduces manual effort and ensures timely availability of accurate documentation during audits.

Enforce Continuous Control Validation

Adopt tools like file integrity monitoring (FIM), SIEM solutions, and vulnerability scanners to validate security controls continuously. Real-time validation ensures compliance remains intact throughout the year.

Align Third-Party Risk with AoC Compliance

Ensure all third-party providers impacting your CDE supply their own AoCs or similar attestations. Periodically review their compliance status to avoid non-compliance risks that could impact your organization.

What’s Included in the AoC Document? 

Here’s an overview of the main sections found in an AoC.

Scope of Assessment

This section details the specific systems, networks, and processes evaluated during the PCI DSS assessment. It defines the boundaries of the evaluation, ensuring every component involved in processing, storing, or transmitting payment card data is covered

This section also helps organizations understand the extent of their compliance efforts. By clearly defining the scope, companies can better manage and secure their environments, focusing on areas critical to protecting cardholder data. 

Compliance Status

This section identifies whether the evaluated entities meet PCI DSS requirements. It provides a clear indication of compliance or highlights areas needing improvement. For companies, this section outlines their security posture, pinpointing successes and areas for enhancement concerning PCI standards.

Assessment Methodology

This section outlines the procedures and tests conducted to determine compliance with PCI DSS. It includes the methodologies used by assessors to verify the implementation of required security controls. This provides an insight into the rigor and thoroughness of the assessment, ensuring stakeholders the evaluation was comprehensive.

Security Control

This section details the specific controls and measures implemented by the company to comply with PCI DSS requirements. It highlights how sensitive data is protected, from encryption and access controls to monitoring and risk management practices. This gives stakeholders a clear view of the security posture of the organization.

Assessor Information

This section includes details about the entities that carried out the assessment. These might be a qualified security assessor (QSA), approved scanning vendor (ASV), and/or Internal Security Assessor (ISAs), providing their credentials and contact details. 

How Long Is an Attestation of Compliance Valid? 

A PCI AoC is valid for one year from the date of issuance. Organizations must plan for regular assessments as part of their security strategies. Annual validation ensures continued compliance and addresses any vulnerabilities that may arise from changes in the environment or operations during the year.

What Will You Need to Provide to Make Your Assessment Painless? 

To streamline the process of obtaining a PCI Attestation of Compliance (AoC) and make the assessment as smooth as possible, companies need to prepare and provide specific information and documentation. Here’s what you’ll need:

• Detailed documentation of your IT environment: You should have comprehensive documentation of your IT infrastructure, including network diagrams, data flow charts, and an inventory of all systems involved in processing, storing, or transmitting cardholder data. It should clearly outline the boundaries of the Cardholder Data Environment (CDE).
• Policies and procedures: Prepare and provide access to your Information Security Policy, Access Control Policy, Incident Response Plan, and any other procedures related to PCI DSS requirements. 
• Evidence of implemented controls: Be ready to show evidence of configuration settings, screenshots, logs, or other proof that demonstrates compliance with PCI DSS requirements. Organize this evidence systematically to correspond with each requirement.
• List of third-party service providers: If you rely on third-party service providers for processing, storing, or transmitting cardholder data, compile a list of these providers along with details of the services they provide. You should also have copies of any agreements that confirm these providers are PCI DSS compliant, as their compliance affects your own.
• Self-Assessment Questionnaire (SAQ): While an SAQ may not replace the need for a full assessment, it can offer valuable insights into your preparedness and highlight areas of strength and improvement.

PCI DSS Compliance with Exabeam Fusion SIEM

In the end, PCI DSS compliance is all about proving to auditors what you say you do — and Exabeam can help. While DLP, endpoint, vulnerability scanning, network, and identity vendors give you pieces of the puzzle, Exabeam Fusion SIEM helps you put it all together to see a full picture of attack, adding context and risk scoring to events and alerts to show an end-to-end PCI DSS compliance picture.  

Exabeam Fusion SIEM offers reports for your security teams on vulnerabilities discovered on PCI assets. This report looks at vulnerability scan details data produced by firewalls, routers, switches, and any other device that produces vulnerability data. Vulnerability scans of the cardholder data environment expose potential vulnerabilities in networks that could be found and exploited by malicious individuals. Organizations use this report to identify specific high and/or critical vulnerabilities on cardholder systems that need to be fixed.

Fusion SIEM also looks at credit card data, found in motion or at rest from IDS, IPS, and DLP systems to provide visibility into potentially unauthorized transmissions of credit card data over the network or to unauthorized removable storage devices. Customers use this report to identify the source of the transmission so it can be further investigated and fixed. The cardholder data environment should be monitored for unauthorized egress transmission of credit card data using IDS, IPS, and DLP-based technologies. 

From credential anomaly and unusual activity or movement to credit card data access or transmissions, Exabeam offers a clear view of “normal” for any credentials, data movement, and activity, helping streamline your SOC workflow and responses in the event of a compromised or malicious insider as well as detecting lateral movement of malware or ransomware within your ecosystem.