What is an Attestation of Compliance (AoC)?
Attestation of Compliance (AoC) is a statement of an organization’s compliance with PCI DSS.
What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of policies and procedures targeted at merchants to secure credit, debit, and cash card transactions. PCI DSS regulations also safeguard cardholders against misuse of their private information.
The Payment Card Industry Data Security Standard (PCI DSS) was developed by the five major payment card brands that formed the Payment Card Industry Security Standards Council (PCI SSC): American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.
Any institution that processes and stores credit card information and cardholder data must complete a PCI attestation of compliance to prove compliance with PCI DSS standards. Annually, merchants must send an AoC to their credit card acquirer as evidence that they have upheld PCI DSS standards.
How is an AOC Document Completed?
A Qualified Security Assessor (QSA) completes the AOC, demonstrating the business’s PCI DSS compliance. A QSA is an individual employed by a company who received certification from the PCI Security Standards Council as a PCI compliance assessor. Alternatively, a merchant can complete the AoC form themselves if their internal audit performs validation. Once completed, the form is submitted to the retailer’s merchant bank which then sends it to the payment brand along with any other necessary documentation.
What is the significance of an AOC?
An AoC is significant because it proves that a business is PCI compliant and follows best practices to maintain a secure payment environment. Noncompliance threatens the organization’s reputation as well as consumers’ personal payment information. Moreover, failure to comply greatly increases an organization’s risk in the event of a data breach because sensitive information is vulnerable to a data breach and can easily land up in dangerous hands. A data breach can potentially harm thousands, and even millions, of customers by revealing stored card information and payment details.
Costs of a data breach
A credit card data breach is an expensive, crushing ordeal. Forensic investigations, legal fees, notification costs, increased bank rates, and customer compensation costs are all expenditures involved with PCI DSS noncompliance. But these risks don’t even touch the devastating blow of brand reputation loss and low trust among consumers.
Credit card companies charge non-compliance fees to help recover the funds your non-compliance may cost them. Monthly noncompliance penalties can total up to 6 digits monthly.
If that’s not enough, your acquiring bank and credit card processor may decide to terminate your contract due to non-compliance, crippling your company’s ability to conduct credit card transactions. Without the capacity to accept card payments, many customers may opt to move their business to your competitors since debit and credit cards are the largely- preferred payment method in today’s digital market.
It’s important to note that the requirements involved to achieve compliance with PCI DSS (confirmed with an AoC) vary based on a merchant’s PCI level of compliance as outlined below based on the PCI DSS documentation.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days
4 PCI Merchant Levels
- Merchant Level 1: Merchants with over 6 million transactions a year or any merchant that has had a data breach
- Merchant Level 2: Merchants with between 1 million and 6 million transactions annually
- Merchant Level 3: Merchants with between 20,000 and 1 million online transactions per year
- Merchant Level 4: Merchants with fewer than 20,000 online transactions annually or any merchant processing up to 1 million other transactions annually
How Merchant Levels Impact PCI DSS Compliance
Depending on which of the four categories your organization falls into, compliance requirements vary. Following are some examples:
- Level 1 merchants are required to undergo annual, third-party audits to verify compliance and go through an annual network scan. PCI Merchant Level 1 organizations must complete an annual Attestation of Compliance (AoC) audit and a Report on Compliance (RoC).
- Level 2, 3, and 4 merchants perform the appropriate PCI DSS Self-Assessment Questionnaire (SAQ) on their own, as well as go through quarterly network scans with a certified company. Additionally, an AoC must also be submitted.
- If your organization is deemed a PCI Merchant Level 3 but falls victim to a data breach that impacts cardholder information, your credit card company may take punitive actions by requiring you to move to a higher PCI merchant level and be under stricter regulations.
The vast majority of consumers prefer credit or debit card payments over cash and checks. Popularity notwithstanding, consumers are concerned about the security of their financial data when paying with credit card transactions. Businesses must secure all card payments through compliance with the PCI DSS standards, and completing a PCI Attestation of Compliance (AOC) is a critical step to complying and achieving consumer trust.
At Centraleyes, we are dedicated to helping your compliance team rethink your regulatory compliance programs, along with your entire cyber architecture. With Centraleyes, achieving PCI compliance is simple. Our automated platform cuts out hundreds of hours from compliance preparations. Be sure you’re fully certified with PCI compliance [and submit your Attestation of Compliance (AoC)] with our streamlined platform.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days
