Why You Need A PCI ROC

In one of our first blog posts, we talked about "What is a PCI ROC?". This post covered the basics of a PCI Report on Compliance, discussed which merchants and service providers take part in the PCI ROC process, and how a ROC differs from a Risk Assessment. Today, I want to share some ideas on why organizations should consider having a PCI Report on Compliance completed, even if the acquiring bank is not requiring one. But first, let's get a little background and refresher on what a PCI ROC is.

There are many reasons a PCI Report on Compliance can benefit your organization, but first a few refreshers from our original blog post:

• First of all, a PCI ROC needs to be completed by a Qualified Security Assessor (QSA). Credentials are granted through the PCI Security Standards Council. 
• Second, as a part of the ROC process, organizations will receive an Attestation of Compliance (AOC) from their QSA. 

Those two points seem pretty basic, and in truth, they are. But, I am going share some tips on how you can use the PCI Report on Compliance to help your organization from a perception and marketing perspective. Here we go:

1. Independence - This is a term that gets thrown around in Information Security all the time. Sometimes this is referred to as "Segregation of Duties" when talking about employees doing multiple roles in an organization. In this case, when you decide to have a PCI Report on Compliance completed, you are making a conscious choice to have an independent, objective third-party assess your environment. To me, this demonstrates that you are serious about security and aren't "checking a box". 
2. Confidence - A big part of being a Qualified Security Assessor (QSA) is having to provide sample PCI ROC's to the Security Standards Council for review on a yearly basis. To make a joke about this, one could say that the auditors get audited. The good news is that since this is true, a QSA has to be in "good standing" with the Security Standards Council. That means that they have never been put in "remediation" status by the council. I am proud to mention that Compass was an early adopter of PCI Compliance and one of the first companies to become a Qualified Security Assessor. We have NEVER been in remediation status! When  a reputable QSA is hired to conduct your PCI Report on Compliance, your organization can  have confidence in the report received at the end of the engagement.
3. Assurance - The definition of Assurance is "a positive declaration intended to give confidence; a promise." Upon completion of the ROC process, rest assured that your organization has complied with all 12 requirements of the most current version of the PCI Data Security Standards.
4. Competitive Advantage - Remember, this post makes the case to have a PCI Report on Compliance completed even when it is not required. This is not for the organizations that MUST have a PCI Report on Compliance completed. By having a ROC completed, a competitive advantage could be gained over the competition by demonstrating a commitment to security and compliance by "going the extra mile." In fact, I have a client that doesn't store, process, or transmit any cardholder data.  Why have they retained us to perform a PCI Report on Compliance for 3 years?  To prove, from a marketing perspective, their commitment to security and compliance.

So, is a PCI Report on Compliance right for your organization? You know your situation better than anyone. But, if you have a ROC completed when you are not required to, you are demonstrating a commitment to not only compliance, but to security as well. If you would like to discuss your specific circumstances to determine if a PCI Report on Compliance makes sense for you, feel free to contact us.

PCI Compliance Checklist