The Attestation of Compliance (AoC)

The Attestation of Compliance is the document that most organizations, clients, and partners actually encounter when discussing PCI DSS compliance — not the full ROC or completed SAQ, but the one-to-two page attestation that summarizes the compliance finding. Understanding what the AoC represents, what it does not represent, and how to use it appropriately is essential for any organization in the PCI DSS ecosystem.

What the AoC Actually Is

The AoC is a short standardized form produced by the PCI SSC that summarizes the compliance assessment outcome. It contains: the organization's name and the assessed service or merchant environment, the assessment type (ROC or SAQ), the assessment date and period, the compliance status (compliant / compliant with requirements identified for remediation), the scope of the assessment (brief CDE description), the QSA Company and lead assessor's name and signature (for ROC-based AoCs), and the organization's senior management signature.

KEY IDEA

The AoC is not the same as the compliance report — it is a signed summary of the compliance report. When a client asks "Do you have PCI DSS compliance?" and you provide an AoC, you are providing them with the attestation of your compliance status, not the full evidence of how your controls were tested. This is appropriate for most client relationships — the full ROC should only be shared under NDA when genuinely required.

AoC Types — Merchant vs. Service Provider

AoC Type	Who Uses It	Key Contents	Where Submitted
Merchant AoC (from SAQ)	Level 2–4 merchants	SAQ type completed, compliance status, merchant signature, no QSA signature	Acquiring bank annually
Service Provider AoC (from SAQ D-SP)	Level 2 service providers	SAQ D-SP completion, compliance status, SP management signature	Acquiring bank / card network
Merchant AoC (from ROC)	Level 1 merchants	Assessment period, scope, QSA signature + company, management signature, compliance status	Acquiring bank / card network
Service Provider AoC (from ROC)	Level 1 service providers	As above; listed on Visa/MC service provider compliance lists	Card network programs, customers

Signing the AoC — Who Must Sign

For the organization, the AoC must be signed by a senior officer — typically the Chief Information Security Officer, Chief Technology Officer, Chief Compliance Officer, or equivalent C-level executive. The signatory is attesting that the information in the assessment is accurate and that the organization has implemented PCI DSS controls. This is a legal attestation with personal accountability.

IMPORTANT

The executive signature on an AoC is not a formality. The signatory is personally attesting that the compliance information is accurate and that the described controls are actually in place. Signing an AoC that does not accurately reflect the organization's security controls — particularly in the event of a subsequent breach — can expose the individual signatory to personal liability. This is why internal readiness review before signing matters.

The AoC Validity Period

An AoC is valid for 12 months from the end of the assessment period. The assessment period end date (for ROC-based assessments) is the date fieldwork concluded and the compliance determination was made. Acquirers and card networks track AoC expiration and will contact organizations approaching expiration.

Sharing the AoC With Clients and Partners

The standard practice for sharing PCI DSS compliance evidence is to share the AoC — never the full ROC or SAQ. The AoC contains sufficient information for a client to: confirm your compliance status, verify the assessment type (SAQ or ROC), confirm the assessment period is current (not expired), and identify the QSA Company that performed the assessment.

Service Provider Compliance Registries

Visa and Mastercard maintain public registries of compliant service providers. Visa's Global Registry of Service Providers lists all Level 1 service providers with current AoCs. If your organization is a Level 1 service provider, being listed on these registries is a significant trust signal to enterprise clients and partners — and listing requires submitting your AoC to the card networks through your acquirer.

Indonesian PSPs and payment gateways that seek to expand internationally increasingly need to be on the Visa Global Registry and Mastercard SDP (Site Data Protection) compliant service provider list. This requires a Level 1 ROC (not SAQ D-SP) assessment and submission to the card networks through your principal member bank. Bitlion assists Indonesian service providers with the card network registration process as part of the compliance program.

What the AoC Actually Is

AoC Types — Merchant vs. Service Provider

Signing the AoC — Who Must Sign

The AoC Validity Period

Sharing the AoC With Clients and Partners

Service Provider Compliance Registries

PCI DSS Foundations

What is PCI DSS and Why It Matters

The 12 PCI DSS Requirements: A Complete Overview

PCI DSS Scope: Understanding the Cardholder Data Environment

Merchant Levels and Service Provider Levels

PCI DSS v4.0 — What Changed and Why It Matters

PCI DSS vs ISO 27001 vs SOC 2 — Framework Comparison

PCI DSS Requirements In Depth

Requirements 1 & 2: Network Security and Secure Configurations

Requirement 3: Protecting Stored Account Data

Requirement 4: Protecting Cardholder Data in Transit

Requirements 5 & 6: Vulnerability Management

Requirement 7: Restricting Access to System Components and Cardholder Data

Requirement 8: Identifying Users and Authenticating Access

Requirement 9: Restricting Physical Access to Cardholder Data

Requirements 10 & 11: Logging, Monitoring, and Security Testing

Requirement 12: Supporting Information Security with Organizational Policies

PCI DSS Implementation Process

PCI DSS Implementation Roadmap

Scoping and Scope Reduction Strategies

Gap Assessment and Remediation Planning

Network Security Implementation for PCI DSS

Account Data Protection: Encryption and Tokenization

Access Control and Authentication Implementation

Logging, Monitoring, and Vulnerability Management

PCI DSS Validation and Assessment

Self-Assessment Questionnaire (SAQ) Types: Choosing the Right One

Engaging a Qualified Security Assessor (QSA)

The Report on Compliance (ROC)

Preparing for the QSA Assessment

The Attestation of Compliance (AoC)

Common QSA Findings and How to Prevent Them

Maintaining PCI DSS Compliance: The Annual Cycle

PCI DSS Technical Controls

Network Segmentation for PCI DSS

Encryption and Key Management

Multi-Factor Authentication: PCI DSS v4.0 Requirements

Web Application Security and WAF

Logging and Monitoring for PCI DSS

Vulnerability Scanning and Penetration Testing

Point of Interaction (POI) Device Security

PCI DSS In Context

PCI DSS for E-Commerce and Online Payments

PCI DSS for Fintech and Payment Service Providers

PCI DSS for Banks and Acquiring Organizations

PCI DSS and Cloud: AWS, GCP, and Azure

PCI DSS and Indonesian Regulations: BI, OJK, and UU PDP

Multi-Framework Compliance: PCI DSS + ISO 27001 + SOC 2

Building a Mature Payment Security Program Beyond Compliance