A Report on Compliance (ROC) is a form that must be completed by all Level 1 Visa merchants undergoing a PCI DSS (Payment Card Industry Data Security Standard) audit. A Level 1 merchant is one who processes over 6 million Visa transactions in a year. Level 2 merchants, which process 1 million to 6 million transactions annually, may also be required to prepare an ROC.
The PCI Report on Compliance is used to verify that a merchant is compliant with PCI DSS. The policies and procedures included in PCI DSS were developed to enhance the security of card-based transactions and protect cardholder data against fraud and other misuses of their personal information.
PCI DSS was created as a collaborative effort of American Express, Discover, Mastercard and Visa. These standards are in addition to other data security industry standards, such as International Organization for Standardization 27000 and National Institute of Standards and Technology Special Publication 800-53.
PCI DSS applies to organizations that store, process or transmit credit card data, including retail firms and financial institutions. The standards set the operational and technical guidelines for handling payment transactions. It sets similar guidelines for other organizations involved in payment transactions, such as software developers and equipment manufacturers. The PCI Security Standards Council manages the standards.
Level 1 and some Level 2 merchants must complete the ROC annually. A PCI Qualified Security Assessor (QSA) audits the merchant and fills out the ROC form. The form is then submitted to the merchant's acquiring bank. Once the merchant's bank has accepted the ROC, it sends the document on to Visa for compliance verification.
Instead of using a QSA, a merchant may have one or more employees trained and certified as Internal Security Assessors (ISAs). ISAs can organize and perform an internal assessment and complete an ROC. ISAs can also file a Self-Assessment Questionnaire (SAQ), which some organizations are allowed to use instead of an ROC and a formal audit. An organization's size and credit card transaction volume determine if it can use the SAQ option.
The SAQ option is available to some Level 2 and all Levels 3 and 4 merchants. With an SAQ, a merchant completes a form and submits it to the required organization.
PCI DSS compliance reports detail how customer data is handled -- particularly data on credit card use. This includes the following ways in which data is handled:
It is important to have this information for several reasons, including the following:
PCI DSS has 12 attributes. Not all organizations must meet all 12 requirements. Whether they do depends on the organization's credit card processing activities.
The 12 requirements are the following:
A Self-Assessment Questionnaire documents how well a merchant complies with specific PCI DSS controls and requirements. The merchant performs the SAQ using an employee who has been trained and certified as an Internal Security Assessor.
There are nine SAQs. An organization performing an SAQ must determine which of the nine SAQs applies to its business based on how it handles credit card transactions. ISAs perform the data collection and other evidence gathering related to the SAQ. They complete the questionnaire and send it to the entity that is responsible for validating compliance.
Both ROCs and SAQs have specific requirements that must be fulfilled. Organizations can prepare either as part of the firm's Attestation of Compliance process. Completing either an SAQ and/or ROC helps reduce compliance risks by assessing and validating compliance requirements.
An ROC is typically performed by a third-party organization that has employees trained and certified as QSAs. Larger organizations that handle millions of credit card transactions a year are more likely to be required to use an ROC to confirm its PCI DSS compliance.
Organizations perform SAQs as a simpler way to verify PCI DSS compliance. Employees, such as a compliance officer, trained as an ISA perform the assessment. Small and medium-sized business can opt for either an SAQ or an ROC. An SAQ is the more convenient and less costly option.
The best way to learn what goes into an ROC or SAQ report is to view the documents in the PCI Document Library. The library includes the following documents that provide details on ROC and SAQ processes:
PCI DSS is one of many sets of data security standards. Find out about seven other important frameworks and standards available to protect data.
03 Nov 2021