Before I answer this question, I'd like to address what a PCI DSS Report of Compliance (ROC) is. According to the PCI DSS assessment website, ROC is a commonly used term for the Payment Card Industry Data Security Standard (PCI DSS) assessment that Visa demands to satisfy merchant and service provider reporting requirements. With Visa's large market share, the term ROC has become common throughout the industry, but other payment card brands require reports similar to a ROC under different names, such as Discover's DISC Attestation of Compliance, American Express' Annual Executive Summary of Onsite Security Audit Report, and MasterCard's Certificate of Validation.
ROCs can be considered extremely sensitive and, in my opinion, should be kept confidential if at all possible; however, I realize that this cannot always be the case for public agencies subject to Freedom of Information Act (FOIA) requirements.
I'm not sure of any circumstance where you would not forward a ROC to a legitimate requesting agency --– such as a bank for PCI DSS --– but it is understandable why an organization may not want to share it under various circumstances. In particular, if the ROC results are not entirely positive, then such information in the wrong hands --– a competitor's, for example, or the press' --– could have serious consequences.
Something to consider: Why doesn't the legal department want to release or allow for a copy of the ROC to be sent? Perhaps by understanding its reasons better, you can decide on a more effective way to proceed.
If the reason for the legal department's reticence is the potentially insecure means of transmission of the ROC, then considerations such as encryption, courier or other highly secure methods may solve the problem.
Would it be possible to allow for the requesting authority to visit the corporation itself, where the ROC is physically located? There, under the auspices of a Non-Disclosure Agreement (NDA), they could review the document without the ROC ever being released outside of the enterprise.
Please understand that these answers are a bit constrained because I am not sure of all the circumstances. But asking some of the above questions should get you started down the right path.
For more information:
This was first published in February 2010