The Report on Compliance (ROC)

The Report on Compliance is the definitive documentation of a Level 1 PCI DSS assessment. It is the deliverable that card networks, acquirers, and enterprise clients rely on to confirm that a service provider or Level 1 merchant has been independently assessed against the full PCI DSS requirements. Understanding what the ROC contains — and how it differs from a SAQ — is essential for organizations at every level of the PCI DSS ecosystem.

ROC vs. SAQ — Key Differences

Aspect	Report on Compliance (ROC)	Self-Assessment Questionnaire (SAQ)
Who prepares it	Qualified Security Assessor (QSA) after independent assessment	Organization completes its own assessment (self-reported)
Required for	Level 1 merchants and service providers	Level 2–4 merchants and Level 2 service providers
Testing procedures	QSA performs detailed testing for each requirement	Organization self-attests to compliance
Independence	Independent third-party assessment	No independent verification
Evidence review	QSA reviews and cites evidence for each control	Evidence not reviewed by independent party
Market trust	High — independently verified	Moderate — self-reported
Cost	High — QSA professional fees	Low to moderate — internal staff time
Length	100–300+ pages	20–340 questions depending on SAQ type

ROC Structure — What It Contains

Executive Summary

The executive summary provides an overview of the assessment scope, the QSA company and assessment team, the assessment timeline, the overall compliance status (compliant, compliant with compensating controls, or non-compliant), and a summary of findings.

Scope Description

Detailed description of the systems, people, and processes included in the assessment. Includes the CDE definition, network architecture overview, data flow summary, and description of any scope reduction measures (tokenization, P2PE, segmentation).

Requirement Testing Procedures and Results

The core of the ROC — a section for each of the 12 requirements (and their sub-requirements) documenting: the specific testing procedures the QSA applied, the evidence reviewed, the findings from testing, and the compliance determination (in place / not in place / not applicable / not tested).

KEY IDEA

The ROC is not just a checklist of pass/fail results — it is a documented record of what was tested, how it was tested, and what evidence was reviewed. When an enterprise client or regulator reviews your ROC, they can see the specific testing procedures applied and the evidence cited. A well-documented ROC builds significantly more trust than one with sparse or generic descriptions.

Compensating Controls Worksheets

If an organization cannot meet a requirement due to documented technical or business constraints, they may implement compensating controls. The ROC includes a Compensating Controls Worksheet for each such requirement, documenting the constraint, the compensating control implemented, how the compensating control addresses the objective of the requirement, and the QSA's assessment of whether the compensating control is sufficient.

Management Response to Findings

For any requirements found to be "not in place," the organization's management must provide a formal response in the ROC documenting: the nature of the gap, the remediation actions planned, the target completion date, and the person responsible. Findings with management responses allow organizations to receive a conditional ROC while remediating identified gaps.

How to Use the ROC

With Acquiring Banks and Card Networks

Submit the AoC (Attestation of Compliance — a one-to-two page summary signed by the QSA and organization management) to your acquiring bank. Card networks typically see the AoC, not the full ROC. The full ROC is retained by the organization and made available to card networks on request.

With Enterprise Clients

Enterprise clients and procurement teams requesting PCI DSS evidence should receive the AoC, not the full ROC. The full ROC contains detailed system configuration information that should not be shared broadly. If a client insists on the full ROC, an NDA should be in place first.

With Indonesian Regulators

Bank Indonesia and OJK may request evidence of PCI DSS compliance for payment system operators and licensed institutions. The AoC is the appropriate submission; the full ROC may be requested during supervisory reviews.

IMPORTANT

The AoC has an expiration date — 12 months from the date the assessment period ended. Ensure your AoC is renewed before expiration. Acquiring banks and card networks track AoC expiration dates and will flag organizations with lapsed compliance. Many service provider agreements require valid AoC submission as an annual obligation.

Organizations that make the transition from SAQ to ROC validation often underestimate the difference in evidence quality required. QSAs testing for ROC will want to see evidence of actual control operation during the assessment period — not just policies and configurations. Start collecting ongoing evidence (monthly log review records, quarterly access review completions, scan reports) from the beginning of your compliance program, not just in the months before assessment.

ROC vs. SAQ — Key Differences

ROC Structure — What It Contains

Executive Summary

Scope Description

Requirement Testing Procedures and Results

Compensating Controls Worksheets

Management Response to Findings

How to Use the ROC

With Acquiring Banks and Card Networks

With Enterprise Clients

With Indonesian Regulators

PCI DSS Foundations

What is PCI DSS and Why It Matters

The 12 PCI DSS Requirements: A Complete Overview

PCI DSS Scope: Understanding the Cardholder Data Environment

Merchant Levels and Service Provider Levels

PCI DSS v4.0 — What Changed and Why It Matters

PCI DSS vs ISO 27001 vs SOC 2 — Framework Comparison

PCI DSS Requirements In Depth

Requirements 1 & 2: Network Security and Secure Configurations

Requirement 3: Protecting Stored Account Data

Requirement 4: Protecting Cardholder Data in Transit

Requirements 5 & 6: Vulnerability Management

Requirement 7: Restricting Access to System Components and Cardholder Data

Requirement 8: Identifying Users and Authenticating Access

Requirement 9: Restricting Physical Access to Cardholder Data

Requirements 10 & 11: Logging, Monitoring, and Security Testing

Requirement 12: Supporting Information Security with Organizational Policies

PCI DSS Implementation Process

PCI DSS Implementation Roadmap

Scoping and Scope Reduction Strategies

Gap Assessment and Remediation Planning

Network Security Implementation for PCI DSS

Account Data Protection: Encryption and Tokenization

Access Control and Authentication Implementation

Logging, Monitoring, and Vulnerability Management

PCI DSS Validation and Assessment

Self-Assessment Questionnaire (SAQ) Types: Choosing the Right One

Engaging a Qualified Security Assessor (QSA)

The Report on Compliance (ROC)

Preparing for the QSA Assessment

The Attestation of Compliance (AoC)

Common QSA Findings and How to Prevent Them

Maintaining PCI DSS Compliance: The Annual Cycle

PCI DSS Technical Controls

Network Segmentation for PCI DSS

Encryption and Key Management

Multi-Factor Authentication: PCI DSS v4.0 Requirements

Web Application Security and WAF

Logging and Monitoring for PCI DSS

Vulnerability Scanning and Penetration Testing

Point of Interaction (POI) Device Security

PCI DSS In Context

PCI DSS for E-Commerce and Online Payments

PCI DSS for Fintech and Payment Service Providers

PCI DSS for Banks and Acquiring Organizations

PCI DSS and Cloud: AWS, GCP, and Azure

PCI DSS and Indonesian Regulations: BI, OJK, and UU PDP

Multi-Framework Compliance: PCI DSS + ISO 27001 + SOC 2

Building a Mature Payment Security Program Beyond Compliance