Governance & Compliance

What is a PCI DSS Report on Compliance (RoC)?

7 minute read
Intermediate
Share Article
LinkedIn
X (Twitter)
Facebook

A PCI DSS Report on Compliance is the formal assessment document QSAs produce for Level 1 merchants. Learn what it contains and how it works.

What the RoC Contains

Executive Summary

Every RoC opens with an executive summary that documents the organization's overall compliance posture, the scope of the assessment, the assessor performing the engagement, and the date range covered. The executive summary is what acquirers read first to determine the disposition of the assessment.

Scope Documentation

The RoC includes detailed documentation of the cardholder data environment scope — the systems, applications, network segments, and personnel that fall within PCI DSS applicability. Scope documentation is the foundation of the entire RoC; if scope is wrong, every downstream control evaluation is affected. This is why scoping work is the most consequential pre-assessment activity.

Control Evaluation Across All 12 Requirements

For each of the 12 PCI DSS high-level requirements — and the roughly 250-300 specific control items they expand to — the RoC documents the assessor's findings: what controls are in place, what evidence the assessor reviewed, what test results validate control effectiveness, and what compensating controls are in use where standard controls do not apply.

Compliance Disposition

The RoC concludes with a compliance disposition for each requirement: in place, not in place, not applicable, or in place with compensating controls. Compliance with the standard requires "in place" disposition for all applicable requirements. Non-compliant requirements typically produce remediation requirements that the organization must address before the next assessment cycle.

The RoC Assessment Process

Pre-Assessment Preparation

Most organizations engage in pre-assessment preparation work before the formal QSA engagement begins — gap analysis, evidence collection, scope validation, and control documentation. Organizations that arrive at the QSA engagement with mature pre-assessment work complete the engagement materially faster and at lower cost than organizations relying on the QSA to discover gaps during fieldwork.

Fieldwork and Evidence Review

The QSA's fieldwork phase involves on-site or remote review of the organization's environment, interviews with control owners, observation of control execution, and detailed evidence review. The QSA collects sufficient evidence to support each control disposition in the final RoC.

Report Production and Quality Assurance

Following fieldwork, the QSA produces the RoC and submits it through quality assurance review at the QSA firm. PCI SSC quality requirements impose specific standards on RoC documentation; reports that do not meet those standards are revised before submission.

Acquirer Submission and Disposition

The completed RoC is submitted by the assessed organization to its acquiring bank. The acquirer reviews the RoC, evaluates any non-compliant findings, and determines the organization's processing status. Material non-compliance can produce restrictions on processing privileges, increased monitoring requirements, or other consequences imposed by the acquirer.

RoC Strategy for PE Portfolio Companies

For PE operating partners, RoC engagement is one of the higher-cost recurring compliance investments at portfolio companies that operate at Level 1 merchant or service provider scale. The strategic considerations include timing alignment across the portfolio (consolidating engagements with a single QSA firm produces volume pricing), transition planning around acquisitions (new acquisitions inherit the RoC posture of the seller, which may or may not align with the portfolio's compliance program), and remediation investment provisioning during pre-close diligence.

The portfolio-level discipline is treating RoC engagement as a standardized operational program rather than a portco-by-portco project. The cost savings, posture comparability, and platform-level visibility benefits typically exceed the structural cost of central coordination.

Frequently Asked Questions

Who needs a RoC versus a SAQ?
Generally, Level 1 merchants (more than 6 million transactions per card brand per year) and large service providers require RoCs. Lower-tier merchants typically complete SAQs. Specific requirements vary by card brand and acquirer.

How long does a RoC remain valid?
RoCs are typically produced annually. Material changes to the cardholder data environment between assessments can require interim assessment work, even if the next annual RoC is not yet due.

Can I conduct my own internal RoC-equivalent assessment?
Internal assessments can prepare the organization for the QSA engagement and identify gaps before the assessor does. They cannot substitute for the QSA-produced RoC for organizations required to submit one.

What happens when the RoC identifies non-compliance?
The non-compliance is documented in the RoC. The organization typically produces a remediation plan that the acquirer reviews. Material non-compliance can produce processing restrictions or other consequences depending on severity and the acquirer's policies.

Can the RoC be shared with customers or used in marketing?
The full RoC is typically confidential and shared only with the acquirer. Many organizations produce a public-facing Attestation of Compliance (AoC) — a summary document that confirms the organization is PCI DSS compliant without disclosing the detail of the RoC.

Related Reading

Real-World Example: When the RoC Catches What the SAQ Missed

A Cloudskope engagement with a payment processor that had grown from Level 2 to Level 1 merchant status illustrates the structural value of RoC versus SAQ. Pre-engagement, the organization had been completing SAQ-D self-assessments annually with no significant findings. The transition to Level 1 required first-time RoC engagement.

The QSA assessment surfaced three material findings the SAQ self-assessment had missed: a network segmentation gap that expanded actual scope beyond the documented scope, a logging requirement gap on database systems that the internal team had assumed was satisfied by the application-tier logging, and a key management practice that did not meet the standard's specific requirements for key custodian segregation.

None of the findings were unusual — they were the kind of gaps that internal self-assessment routinely overlooks because the team writing the assessment is the same team operating the controls. The structural value of QSA-led RoC assessment is the independence that surfaces gaps the internal team has internalized as compliant.

200+

Approximate number of distinct control items a Report on Compliance must address at full SAQ-D / RoC scope, expanded from the 12 high-level PCI DSS requirements. The volume of required evidence is the primary reason RoC engagements run weeks rather than days.

How Cloudskope Can Help

Cloudskope provides RoC preparation and QSA-coordination services for organizations facing first-time RoC engagement or annual recertification. Our pre-assessment work — scoping validation, gap analysis, evidence collection, and remediation execution — typically reduces the QSA engagement duration by 30-50% and the total engagement cost by a comparable margin.