The importance of PCI Attestation of Compliance (AoC)
Protecting sensitive customer data from breaches and ensuring secure transactions should be a top priority for any company that accepts card payments. One crucial aspect of achieving this security is complying with the Payment Card Industry Data Security Standard (PCI DSS), which necessitates a PCI attestation of compliance (AoC).
PCI AoC is a standard security practice that every organization involved in payment processing should be familiar with. However, it often remains misunderstood for many companies, who may be unaware of its existence or confused about its significance. This lack of understanding can expose businesses and their customers to significant risks, including data breaches, financial losses, and damage to their reputation. In this article, we demystify PCI AoC, shedding light on its importance, its implications for organizations, and the steps required to achieve and maintain compliance.
PCI acronyms: A quick guide
Many of the terms around PCI compliance are explained through acronyms. Below is a summary of the key terms you’ll come across when learning about and completing the steps required for PCI compliance:
- Payment Card Industry Data Security Standard: PCI DSS
- Payment Card Industry: PCI
- Attestation of compliance: AoC
- Qualified Security Accessor: QSA
- Self-Assessment Questionnaire: SAQ
- Report on Compliance: RoC
- Security Standards Council: SSC
What is PCI AoC?
PCI AoC is a documented declaration of a company’s compliance with the PCI DSS. The documentation communicates that the organization has the required security practices in place to keep cardholder’s data secure and protect against threats that could compromise this data. The PCI AoC has to be completed by a Qualified Security Accessor (QSA), an independent entity that is certified by the PCI Security Standards Council (PCI SSC). PCI DSS audits are carried out by the PCI SSC and determines if a company is PCI-compliant or not.
Who does PCI compliance apply to?
PCI compliance applies to any organization that processes, stores, or transmits payment card data. This includes merchants that accept card payments, whether online, in-store, or through other channels. Service providers, including software companies, must also be PCI compliant as they collect and process cardholder data when they accept card payments. Acquiring banks, issuing banks, and payment card companies such as Visa, Mastercard and American Express also need to be PCI-compliant.
How does a company get a PCI AoC?
The process to receive a PCI AoC is generated under a self-assessment model where most companies will need to complete an assessment of their compliance — the Self-Assessment Questionnaire (SAQ) created by the PCI DSS. Once the business has completed the questionnaire, the QSA reviews it to ensure the company is PCI-compliant. Larger organizations also need to complete a PCI Report on Compliance (RoC). This is a lengthier process, that requires the QSA to conduct an audit of the company’s process documentation and security controls. If the organization passes their RoC assessment, they will automatically receive an AoC.
What are the different levels of PCI compliance?
A company’s requirement to secure an AoC, RoC, or both is dependent on the company’s compliance level as determined by the PCI DSS. The specific requirements and compliance levels within the PCI DSS framework vary based on the size and transaction volume of an organization. Companies that have recently experienced a cyber attack or have a high level of information security risk may have to adhere to a higher level of PCI compliance even if their transaction volume falls into one of the lower categories.
While the five payment card brands (American Express, Discover, JCB, Mastercard and Visa) have specific compliance standard levels based on transaction volume, these generally fall across four levels:
- Level 1: Merchants that process over 6 million card transactions annually.
- Level 2: Merchants that process 1 to 6 million transactions annually.
- Level 3: Merchants that process 20,000 to 1 million transactions annually.
- Level 4: Merchants that process fewer than 20,000 transactions annually.
How do you ensure that your business is PCI compliant?
If your organization requires level 1 compliance, it will need an external audit completed by a QSA. As mentioned above, the audit will review your company’s documentation and technical information around payments security, determine if the compliance requirements are met, provide support and guidance, and evaluate security controls to ensure compliance. Once the audit is completed, the QSA will send the RoC to the company’s acquiring banks as a demonstration of its compliance. Companies that fall into PCI levels 2, 3 and 4 can complete the SAQ, but level 2 organizations also need to complete an RoC.
If you’re unsure what PCI compliance level your company is or how to ensure PCI compliance, working with a payments partner who not only understands compliance but how to maximize the return on investment (ROI) of embedded payments, will help you to ensure your cardholder’s data is secure at all times. This reduces the risk of a cyber security breach and the myriad subsequent impacts that can be costly to address, including financial loss and reputational damage.
Get peace of mind when it comes to PCI compliance with Payrix
PCI compliance is a critical aspect to get right for all businesses that accept card payments. Whether you’re a small business or large organization, there are specific PCI compliance standards that you are required to meet. Meeting these standards will ensure your business has the infrastructure to securely take card payments and that it is better protected in the event of a data breach. With the right payments partner, you’ll have access to payments experts that will help you ensure that your company is PCI compliant and that it maximizes the ROI of embedded payments, securely and seamlessly.