The Case for the PCI ROC: When to Perform One Over an SAQ

PCI Compliance can be a challenging initiative to take on, especially if this is a new process for your organization. Depending on the level of merchant or service provider you fall under determines the requirements you must complete to become PCI Compliant. This will either take form in a Self-Assessment Questionnaire (SAQ) which can be completed by the organization themselves or by a third party, or a PCI Report on Compliance (ROC) which MUST be completed by an approved Qualified Security Assessor (QSA) through the PCI Security Standards Council. The PCI Report On Compliance is basically like an audit. It is generally more intense, requires more evidence be provided, and ultimately takes more time and costs more money than having a PCI Risk Assessment completed. But, are there cases where you might want to consider having a PCI ROC completed for your organization even though it is not mandated? The answer is that it depends. It depends on your business structure, the goals of your organization, and how you plan to use the Report on Compliance. Here are some examples of situations where you might want to consider having a PCI ROC completed, even though it is not required:

• Independent Third Party Audit – Organizations that are serious and committed to creating a culture of security might want to consider having a PCI Report on Compliance completed. One of the messages that this sends is that the organization is so serious about security that they have hired an independent, objective third party that is really a subject matter expert in the area of PCI Compliance to come in and audit their systems to ensure they meet the stringent requirements set forth in the PCI Data Security Standards.
• Marketing – This might sound a bit strange but some organizations might want to use their PCI Report on Compliance as a marketing tool to attract and acquire new customers. This sort of goes hand in hand with the one mentioned above, however organizations that use their PCI Report on Compliance as a marketing tool are using it proactively to demonstrate their seriousness about security and compliance when seeking new customers. Most organizations are “asked” or “forced” to have a PCI Report on Compliance completed by a prospective client in order to win their business. Some organizations decide to be proactive and get this done sooner rather than later or before they have been asked to complete it and use that as a bargaining tool in negotiations with prospective clients.
• Credibility – Again this one is related to the two listed above but having a PCI Report on Compliance completed when you are only required to complete a SAQ increases your credibility in the minds of prospective clients. Some might think that you are crazy for having a full on audit completed when it is not required, however most will respect your decision and thought process and might make you more credible than your competitors. In addition, when you go through the PCI ROC process, you will get a full, detailed report that outlines all of the controls evaluated and whether you passed or failed as well as an Attestation of Compliance (AOC) signed by the QSA. When you present a signed AOC to someone, that can and most likely will carry more validity and weight than an SAQ signed by a person employed by the organization.

In today’s marketplace, organizations need to be able to differentiate themselves from their competition in order to gain and win additional business. How you accomplish that task obviously varies from company to company, however having a PCI Report on Compliance completed might be another feather in your cap and ultimately a tipping point when in a competitive bidding situation. Again, it has to make sense for your organization and the goals of your organization moving forward but we have seen several companies come forward and request a PCI Report on Compliance be completed when only a SAQ was required. If you have any questions about PCI Compliance and the services that Compass IT Compliance offers, please download our PCI Services brochure below or feel free to contact us.