Report on Compliance (ROC)

What is a Report on Compliance (ROC)?

A Report on Compliance (ROC) is a form that must be completed by all Level 1 Visa merchants undergoing a PCI DSS (Payment Card Industry Data Security Standard) audit. A Level 1 merchant is one who processes over 6 million Visa transactions in a year. Level 2 merchants, which process 1 million to 6 million transactions annually, may also be required to prepare an ROC.

The PCI Report on Compliance is used to verify that a merchant is compliant with PCI DSS. The policies and procedures included in PCI DSS were developed to enhance the security of card-based transactions and protect cardholder data against fraud and other misuses of their personal information.

PCI DSS was created as a collaborative effort of American Express, Discover, Mastercard and Visa. These standards are in addition to other data security industry standards, such as International Organization for Standardization 27000 and National Institute of Standards and Technology Special Publication 800-53.

PCI DSS development timeline
Work on the Payment Card Industry Data Security Standard began in the late 1990s. See the main milestones in its development in this timeline.

How does an ROC work?

PCI DSS applies to organizations that store, process or transmit credit card data, including retail firms and financial institutions. The standards set the operational and technical guidelines for handling payment transactions. It sets similar guidelines for other organizations involved in payment transactions, such as software developers and equipment manufacturers. The PCI Security Standards Council manages the standards.

Level 1 and some Level 2 merchants must complete the ROC annually. A PCI Qualified Security Assessor (QSA) audits the merchant and fills out the ROC form. The form is then submitted to the merchant's acquiring bank. Once the merchant's bank has accepted the ROC, it sends the document on to Visa for compliance verification.

Instead of using a QSA, a merchant may have one or more employees trained and certified as Internal Security Assessors (ISAs). ISAs can organize and perform an internal assessment and complete an ROC. ISAs can also file a Self-Assessment Questionnaire (SAQ), which some organizations are allowed to use instead of an ROC and a formal audit. An organization's size and credit card transaction volume determine if it can use the SAQ option.

The SAQ option is available to some Level 2 and all Levels 3 and 4 merchants. With an SAQ, a merchant completes a form and submits it to the required organization.

table showing PCI DSS four compliance levels
PCI DSS compliance requirements depend on which level a merchant is in. The four levels are based on businesses' annual transactions.

Why is compliance reporting important?

PCI DSS compliance reports detail how customer data is handled -- particularly data on credit card use. This includes the following ways in which data is handled:

  • gathered
  • processed
  • secured
  • protected
  • stored
  • distributed

It is important to have this information for several reasons, including the following:

  • Compliance reporting is essential for businesses that collect and store personally identifiable information and other sensitive data to demonstrate they operate within PCI requirements.
  • Demonstrating compliance with PCI DSS standards is an important part of how merchants manage their organizations.
  • Annual compliance reviews help businesses identify and deal with potential compliance risks.
  • Failing to submit compliance reports can result in fines, litigation and even damage to an organization's reputation.

What attributes are in PCI DSS?

PCI DSS has 12 attributes. Not all organizations must meet all 12 requirements. Whether they do depends on the organization's credit card processing activities.

The 12 requirements are the following:

  1. protect systems with firewalls;
  2. establish and configure passwords and security settings;
  3. establish a process for protecting stored cardholder data;
  4. encrypt customer data as it is transmitted across open, public networks;
  5. deploy antivirus software and update it regularly;
  6. schedule and perform regular patching of systems as prescribed by vendors;
  7. use the "need to know" principle when providing access to cardholder data;
  8. manage access to systems via a unique user identifier, such as a password or multifactor authentication;
  9. limit physical access to cardholder data in places like data centers and work areas;
  10. establish and deploy logging and Log Management;
  11. manage the security posture through regular penetration testing and vulnerability scanning; and
  12. establish a process for managing documentation and risk assessments.

What is an SAQ and when it is used?

A Self-Assessment Questionnaire documents how well a merchant complies with specific PCI DSS controls and requirements. The merchant performs the SAQ using an employee who has been trained and certified as an Internal Security Assessor.

There are nine SAQs. An organization performing an SAQ must determine which of the nine SAQs applies to its business based on how it handles credit card transactions. ISAs perform the data collection and other evidence gathering related to the SAQ. They complete the questionnaire and send it to the entity that is responsible for validating compliance.

What is the difference between an ROC and an SAQ?

Both ROCs and SAQs have specific requirements that must be fulfilled. Organizations can prepare either as part of the firm's Attestation of Compliance process. Completing either an SAQ and/or ROC helps reduce compliance risks by assessing and validating compliance requirements.

Report on Compliance

An ROC is typically performed by a third-party organization that has employees trained and certified as QSAs. Larger organizations that handle millions of credit card transactions a year are more likely to be required to use an ROC to confirm its PCI DSS compliance.

Self-Assessment Questionnaire

Organizations perform SAQs as a simpler way to verify PCI DSS compliance. Employees, such as a compliance officer, trained as an ISA perform the assessment. Small and medium-sized business can opt for either an SAQ or an ROC. An SAQ is the more convenient and less costly option.

What do ROC and SAQ reports include?

The best way to learn what goes into an ROC or SAQ report is to view the documents in the PCI Document Library. The library includes the following documents that provide details on ROC and SAQ processes:

  • Report on Compliance Template
  • Attestation of Compliance for Onsite Assessments -- Merchants
  • Attestation of Compliance for Onsite Assessments -- Service Providers
  • Frequently Asked Questions for use with ROC Reporting Template
  • SAQ Instructions and Guidelines

PCI DSS is one of many sets of data security standards. Find out about seven other important frameworks and standards available to protect data.

This was last updated in November 2021

Continue Reading About Report on Compliance (ROC)

Dig Deeper on Compliance

Enterprise Desktop
Cloud Computing