What is PCI Compliance Attestation [How to Prepare Yourself]

Ayush Saxena

Ayush Saxena

Mar 10, 2023

PCI compliance attestation

For all enterprises that process payment cards, the Payment Card Industry Data Security Standard certification or PCI-DSS is a priority for the data security and compliance list. The PCI-DSS is defined as an information security standard for organizations that deal in branded credit card transactions.

The PCI Data Security Standard serves as a foundation of controls and compliances, recommending a baseline level of security for service providers and merchants who process, store, and transmit payment card data.

Although the PCI Council cannot compel compliance and has no legal authority for the same, the credit card companies would not process your payment cards and may attract heavy fines as well in case of non-compliance. So, in case your organization processes branded payment cards, then you must be in compliance and get the PCI-DSS certification.

What is PCI compliance attestation (AOC)?

A PCI AOC or Attestation of Compliance is a testimony that an organization can successfully demonstrate exceptional security best practices in compliance with PCI DSS (Payment Card Industry Data Security Standard) to secure cardholder data.

A Qualified Security Assessor (QSA) must complete an AoC or the merchant if the merchant’s internal audit performs validation. A QSA is an establishment that is validated by the PCI SSC or PCI Security Standards Council to carry out PCI DSS audits and determine whether companies are PCI compliant.

Assessments result in either an attestation of Compliance (AoC) Report on Compliance (RoC) or both. It serves as documented evidence that the company’s s security practices and compliances effectively protect against threats to cardholder data.

Who is required to go through PCI compliance attestation?

Every entity that manages cardholder data or accepts card payments must be in compliance with the PCI DSS or Payment Card Industry Data Security Standard to avoid violations and protect your customer data. Organizations must go through an assessment with a QSA to obtain an AOC, which serves as documented evidence to prove compliance with PCI DSS. Failure to comply attracts costly security breaches and fines. 

PCI compliance attestation levels

For instance, Wawa recently agreed to pay an $8 million settlement to end the investigation for December 2019 data breach that compromised roughly 34 million payment cards across all Wawa stores. Multiple violations of PCI DSS were uncovered. 

That said, whether a company needs an RoC also depends on its compliance level for merchants and service providers based on debit card and credit card transactions. As a thumb rule, the more debit card and credit card transactions, the stricter the QSA assessment criteria.

What are the steps to prepare for PCI compliance attestations?

Simplify the necessary work and maximize the effort of relevant resources using these five steps ahead of your assessment.

PCI compliance attestations steps

1. Complete a Risk Assessment.

Every company, regardless of if they’re related to the payment security business or not, should understand how to efficiently manage its own risk, although, for the one’s processing transactions, a complete detailed risk analysis must be performed on the environment.

In addition, the updated version of PCI DSS has elevated risk management to an essential core competency.

Your goals should be able to define the following in this process:

  • Identify assets, threats, and vulnerabilities relevant to your services
  • Identify security gaps and remediate the same
  • Define and determine risk levels of critical assets, including software, hardware, and sensitive information
  • Assign a prioritization level for reducing risk, 

2. Document Policies and Procedures.

The risk assessment, once completed, will present a much clearer view of your security threats and risks helping determine your organization’s security posture.

The procedures and policies are the foundation for any security program as well as comprise a large percentage of the PCI DSS requirements. 

With proper documentation and reporting, your organization will be able to establish detailed security procedures and policies by performing risk analyses that are both compliant with the standard as well as are tailored to your business processes and security controls within the enterprise.

3. Identify Compliance Gaps.

At this point, it’s very important for the management to authorize the necessary funds and resources to implement necessary remediation activities for any potential security compliance gaps. Post this, consult your QSA to review your security policies for accuracy and comprehensiveness while also helping identify any additional compliance gaps that require remediation before your full-scale assessment. Once you have your final control set in place, you’ll need to

  • Identify high-level areas that are not compliant
  • Perform regular vulnerability scans;
  • Perform quarterly external scans by getting into a contract with an Approved Scanning Vendor (ASV)
  • Schedule the necessary annual penetration testing.

4. Conduct Training to Educate Employees.

Post-remediation activities are completed, and security policies and procedures are implemented, it’s time to turn towards supporting the human element of payment card security through education and training:

  • Technical employees should complete any training classes or certifications necessary to operate and monitor the security control set in place.
  • Incident responders should follow the standard NIST SP 800-61 for review.
  • Non-technical employees must be educated on general security awareness practices such as spotting possible phishing or social engineering attacks, password protection,  etc.
  • OWASP offers training materials for secure coding guidelines in case software development is performed at your organization.

5. Perform Maintenance.

After addressing your risks through control implementation and remediating your gaps, you’ve established a firm security posture where people understand their roles in securing your payment card environment. The standards defined by PCI DSS must be integrated into your everyday operation to maintain cybersecurity as well as ease the burden of your annual assessments.

You’re prepared for your full-scale PCI DSS assessment, but in the meantime, you should enter a “maintenance mode.”

  • Perform periodic internal audits
  • Conduct regular committee meetings
  • Periodic risk assessments must be conducted
  • Update procedures, policies, and security controls as necessary to ensure an appropriate response to an ever-changing threat landscape.

What are the 12 PCI compliance requirements?

The 12 PCI compliance requirements are outlined below:

  • Firewall  to protect cardholder data within the corporate network
  • Unique passwords should be changed periodically
  • Implement physical and virtual measures to protect stored data
  • Encrypt data in transit of cardholders across public networks, and you should never store card validation data
  • Use and regular update of antivirus on all internal systems holding sensitive data
  • Secure systems and applications should be developed to actively search for vulnerabilities and remediate them
  • Access to cardholder data must be controlled and accessible on a need-to-know requirement to reduce vulnerability
  • Only authorized personnel must be able to access system components holding sensitive with a clear user identification
  • Physical access to cardholder data is prohibited
  • Monitor real-time access to cardholder data and network resources to provide an audit trail and aid in breach investigations.
  • Security systems and processes must be tested regularly to identify vulnerabilities and remediate them.
  • Maintain a clear policy that conveys security information to all personnel.

PCI Security Compliance Checklist

Have this handy PCI Compliance checklist to ensure your organization is PCI compliant:

Determine PCI level 

The PCI level depends on the number of transactions you process annually and compares the same to the requirements for every credit card company you plan to support.

Map the flow of cardholder data. 

For people, applications, and systems that are associated with credit card data, map the flow of cardholder data and secure it. All credit payment platforms and storage systems that hold card data. 

Fill out the Self-Assessment Questionnaire (SAQ) 

The SAQ or Self-Assessment Questionnaire is a tool used to validate the 12 requirements under PCI compliance. Your organization must meet every requirement to be compliant.

Fill out the Attestation of Compliance (AOC)

This document differs as per the PCI compliance level of your business and ensures that you satisfy every PCI compliance step.

Conduct a vulnerability scan. 

To scan for security vulnerabilities and make sure that you meet all standards, you can get into a contract with approved scanning vendors (ASVs). 

Submit documents

Submitting documents, including SAQ, AOC, and ASV reports to credit card companies, banks, etc.

Real-time Monitoring

Monitor and access your business, IT infrastructure and the sensitive data you store with regular security scans. Compliances should be monitored and remediated on an ongoing basis throughout the year. A security team should be established that is responsible for monitoring and responding to vulnerabilities and threats.

What are the benefits of PCI compliance attestation?

It is important to win the trust of the customers in terms that their data is being protected because many businesses are vulnerable to data breaches at their customer’s expense. Let us learn more about the benefits of being PCI compliant towards your company’s security and risk mitigation.

Establish cybersecurity posture

PCI compliance protects an organization against breaches. As per a study conducted by Verizon, PCI-compliant businesses are 50% more likely to successfully counter an attempted breach.

Boost customer confidence 

Customers are more likely to engage with your business, especially on the web, if your organization invests in data security and is PCI compliant.

Avoid additional costs 

Your enterprise may attract fines from the bank if a breach occurs, and you may be required to replace credit cards or compensate affected customers. Having security compliance in place means less risk of fines. In case your enterprise experiences a security breach, you will be promoted to PCI Level 1 and will be required to perform a complete, costly certification.

Aligns with industry standards 

By aligning with a standard, PCI DSS compliance ensures that businesses everywhere ensure their information security is at a level acceptable throughout the industry.

Achieve PCI DSS Compliance with Sprinto

For any organization that comes into contact or processes with Card Holder Data or CHD, getting a PCI attestation of compliance certificate or equivalent testimonial of PCI compliance is essential.

*Becoming PCI compliant is essential to business needs, but doing so without help is not easy.

The standard requires organizations to adopt over a dozen security requirements and 300 rigorous security controls. This can take significant time and resources, delaying the process of receiving your AoC.

Sprinto helps in achieving PCI compliance while helping cut hundreds of hours off of the compliance process with compliance automation, helping your organization meet all necessary operational controls and implement security best practices.

Get in touch with us now to learn more about how Sprinto can help your organization become and remain PCI compliant; request a demo today.


The PCI-DSS certification helps you lay the foundations for good security compliance practices, which will take you a long way in thwarting cyberattacks that target customer payment card information. Once you have obtained the PCI-DSS certification, customers are more comfortable in engaging with your organization.

Being able to demonstrate that you are capable of securing and managing the risks associated with handling highly sensitive payment card data. The Report on Compliance (ROC) and the Attestation of Compliance (AOC) prove that you are indeed PCI-DSS certified.


How often should an attestation of compliance be submitted?

AoC documents are sent annually to an organization’s credit card acquirer to establish that they have upheld PCI DSS compliance.

What does attestation of compliance mean?

An Attestation of Compliance (AoC) is a testimony of an organization’s compliance with the Payment Card Industry Data Security Standard (PCI DSS) and can successfully demonstrate exceptional security best practices to secure cardholder data.

How long is the PCI DSS AoC effective? 

The functional time frame for compliance is one year and starts on the date of passing the audit as well as receiving the AoC from the Qualified Security Assessor (QSA) and expires one year from the date the RoC or AoC is signed.

How do I get an attestation of compliance?

An AoC must be done by a Qualified Security Assessor (QSA) or the merchant in case the merchant’s internal audit performs validation. Post assessments, either an AoC, Report on Compliance (RoC), or both, are submitted. The documents are handed over to the merchant’s credit card acquirer every year to prove compliance with the PCI DSS.

Ayush Saxena

Ayush Saxena

Ayush Saxena is a senior security and compliance writer at Sprinto. As a child, Ayush was always fascinated by the world of hacking and cybersecurity. His inquisitive nature led him on a path of working in the industry of cybersecurity and compliance, curating the latest trends and emerging technologies in cybersecurity to provide relevant and actionable insights to its audience. You can find him hiking, travelling or creating some music in his free time.

Schedule a personalized demo and scale business

Recommended articles

Sprinto: Your growth superpower

Use Sprinto to centralize security compliance management – so nothing
gets in the way of your moving up and winning big.