What is a PCI ROC?

TJ Quirk
Jul 21, 2015 9:32:12 AM

Often times we hear terms that are thrown around like PCI Risk Assessment and PCI Report on Compliance (ROC).  Are you often struggling to understand the difference between these requirements and if / when you’re required to complete them?  The good news is that you’re not alone and hopefully we will clear up some of the confusion around these terms, what they mean and when you need to complete them below.

What is a PCI ROC?

  • Report On Compliance- AKA “ROC”
  • A PCI ROC is required for all Level 1 Merchants. A Level 1 Merchant is a retailer that has more than 6 million annual transactions with Visa and/or Mastercard 
  • Level 1 Merchant - ROC & Quarterly External ASV Scans
  • Level 2 Merchant - ROC or appropriate SAQ & Quarterly External ASV Scans (depending on card brand requirements)
  • Level 3 Merchant - Appropriate SAQ & Quarterly External ASV Scans
  • When in doubt, ask your acquiring bank and they will let you know what level your organiations is and you can make your decision from there!

What’s the difference between a ROC and PCI Risk Assessment?

  • A Risk Assessment is an evaluation of what processes are in place to meet the PCI Data Security Standard 3.1 (PCI DSS 3.1).  This is an assessment that results in an Executive Summary of the standards that were met and the areas where there were failures compared to the 12 Data Security Standards
  • A Report on Compliance (ROC) tests the standards that are in place to protect the credit card information. 
  • Tests payment applications, dataflow, network in place for the CDE, tests IT Policies and Procedures
  • A ROC must be completed by a Qualified Security Assessor (QSA) 
  • The QSA completes an Attestation of Compliance (AOC) that is sent to the retailer's merchant bank who then sends it to the appropriate card brand
  • Once you have determined when your organization is required to do (from your acquiring bank), you will have to complete these requirements annually

There you have it, a quick overview of what a PCI ROC is and when they need to be completed. As with any other type of security assessment, having an independent third party verify your compliance with PCI DSS 3.1 is a great idea to provide your clients and customers peace of mind around your security posture and the controls that you have in place to protect their sensitive data. Contact us today to learn more about how Compass IT Compliance can assist your organization with PCI Compliance!

PCI Compliance Checklist


You May Also Like

These Stories on PCI Compliance

Subscribe by Email

Comments (2)