ANNOUNCEMENT: Legit Secrets Detection & Prevention 2.0! Read more about all the new capabilities --> 

Blog Contact Us Sign In
Platform
Platform - ASPM Icon
Application Security Posture Management (ASPM)
Platform - Secrets Detection & Prevention
Secrets Detection & Prevention
Platform - Continuous Compliance and SBOM Icon
Continuous Compliance and SBOM
Platform - Software Supply Chain Security SSCS Icon
Software Supply Chain Security (SSCS)
Platform - AI Security Posture Management (AI-SPM) Icon
AI Security Posture Management (AI-SPM)
Platform - AppSec Vulnerability Management Icon
AppSec Vulnerability Management
Integrations
Why Legit
Why Legit - Customers Icon
Customers
Resources
header mobile nav icon
Resources
Resources - Blog Icon
Blog
Resources - Resource Library Icon
Resource Library
Resources - Open Source with Legitify Icon
Open Source w/ Legitify
Resources - Events Icon
Events
Company
Company - Partners Icon
Partners
Company - About Legit Icon 2
About Legit
Company - Press Releases Icon 1
Press Releases
Company - In the News Icon
In the News
Company - Careers Icon
Careers
  • Blog
  • What PCI Attestation of Compliance Is and How to Get It

Blog

What PCI Attestation of Compliance Is and How to Get It

Legit Security
Published on
January 21, 2025

Every time a customer swipes their credit card, they trust that business to protect their sensitive payment information against mishandling or fraud. But proving that trust in the right place requires certification.

Gaining certification requires merchants to adhere to the Payment Card Industry Data Security Standard (PCI DSS), a stringent framework designed to prevent breaches and uphold payment system integrity. The Attestation of Compliance (AoC) document is part of the process. 

To prove adherence to critical security standards, businesses must get a PCI DSS AoC, which verifies that their practices, security controls, and systems meet all requirements. 

What Is an Attestation of Compliance?

An AoC is a formal PCI security certification that attests to an organization’s compliance with the DSS, which outlines security measures that ensure the safe handling of payment information. An AoC demonstrates that the organization has put necessary security measures in place to protect cardholder data. 

Who Needs PCI DSS Attestation of Compliance?

The AoC is required for all businesses that store, process, or transmit payment card information. This includes companies such as merchants, service providers, and third-party vendors of all sizes. Compliance requirements vary depending on the volume of transactions processed.

PCI Compliance Levels

Organizations are categorized into four PCI compliance levels based on the number of annual transactions they process. Each level has specific requirements:

  • Level 1 applies to merchants processing over 6 million transactions annually and has the most stringent requirements. Merchants at this level typically undergo an annual audit by a Qualified Security Assessor (QSA) and quarterly network scans by an Approved Scanning Vendor (ASV).
  • Level 2 applies to merchants processing 1–6 million transactions annually and requires an annual Self-Assessment Questionnaire (SAQ) and quarterly network scans by an ASV.
  • Level 3 applies to merchants processing 20,000–1 million transactions annually and requires annual SAQ and quarterly ASV scans.
  • Level 4 applies to merchants processing fewer than 20,000 transactions or up to 1 million transactions annually through any acceptance channel. Most requirements depend on the merchant’s bank, which typically includes an annual SAQ and quarterly ASV scans. It may or may not include an AoC.

What’s the Difference Between Attestation of Compliance and Report on Compliance?

An AoC and a Report on Compliance (RoC) are both documents that demonstrate adherence to PCI DSS, but they differ in purpose and detail. 

While the AoC is necessary for most businesses, the RoC is a more detailed report required by larger organizations (Level 1) or those that have experienced a security breach. The RoC provides a thorough evaluation of a company’s security posture, while the AoC offers an overview of compliance status without as much technical detail.

The RoC is prepared by a QSA following an extensive onsite assessment. It documents the organization’s security, cardholder data protection, and security measures. 

What’s Included in an Attestation of Compliance Document?

An AoC outlines several sections that detail how an organization meets the security controls required to protect payment card data. These sections include:

Scope of Assessment

The scope of assessment outlines the systems, networks, and processes that the PCI DSS aims to cover. It defines the boundaries of the evaluation to make sure no component gets left behind during the audit.

Status of Compliance

This section identifies whether the organization meets the PCI DSS requirements. It includes areas where the organization is fully compliant and highlights areas that need further attention or improvement. 

Assessment Methodology

This part explains the procedures and tests that assessors use to determine compliance, which makes for a more thorough and credible assessment process. If the merchant is running a self-assessment, this section would outline the internal processes used to evaluate security compliance.

Security Control

The security control section details the measures the company has implemented to meet PCI DSS requirements. This includes protecting sensitive client data, access controls, encryption, and risk management strategies. 

Assessor Information

This section provides details about the individual or entity that conducted the PCI DSS assessment. It includes the credentials and contact information of the QSA, ASV, or Internal Security Assessor (ISA).

How to Get PCI Attestation of Compliance

Getting an AoC can be complex, but following these steps can prepare your business for the process. 

1. Understand PCI DSS Requirements


Organizations need to know the security controls specified by the PCI DSS and how these measures apply to their unique operations.

2. Determine Scope


The next step is to identify the systems and processes involved in handling cardholder data. Determine where and how an organization processes, stores, or transmits data across its network. By mapping this data flow, companies can define the boundaries of the PCI DSS assessment and evaluate all critical systems and security controls. 

3. Determine Compliance Level


Organizations must review their transaction volume to determine their PCI compliance level, which dictates the requirements for certification. Most payment processors make this information easy to access.

4. Prepare for Assessment


Before undergoing assessment, organizations should make sure they’re fully compliant with all necessary security controls. This includes secure data processing, efficient encryption methods, and a system for documenting all relevant processes. Preparation is important because gaps in these areas may delay the process or require extra steps.

5. Work With a QSA


Depending on an organization’s compliance level, it may need to work with a QSA, which conducts a thorough review of its compliance measures. For some merchants, this is mandatory, and for others, it’s optional, but a QSA can provide essential guidance and help the organization interpret PSI DSS requirements.

6. Complete Necessary Documentation


After the assessment, organizations must complete the necessary documentation to prove compliance. Required documents vary depending on the PCI DSS level. 

The QSA or the organization’s internal security assessor submits this information, along with audit findings, for review to verify that all required controls are in place and functioning as intended.

7. Receive and Submit Attestation of Compliance


Once the assessment is complete, the QSA or internal assessor will confirm that the organization meets all PCI DSS requirements and issue an AoC. The AoC must go to the relevant entities, like card brands or acquiring banks, to complete the compliance process. 

How Long Is an Attestation of Compliance Valid For?

An AoC is valid for one year from the date of issuance. Organizations must renew their AoC annually by undergoing a new assessment. Regular re-evaluations confirm that security measures remain effective as threats and standards evolve.

Monitor Compliance With Legit Security 

As cyber threats evolve, merchants must continually monitor and update their security measures to stay compliant with the latest standards. That means PCI DSS compliance isn’t a one-time effort but an ongoing commitment.

Legit Security is your partner. It quickly and easily provides the real-time evidence you need to complete self-assessments, without painful manual work. Legit Security aligns your security guardrails to PCI DSS requirements, then continuously monitors any policy violations.

Schedule a demo to learn how you can use Legit Security to streamline PCI DSS compliance.
Legit Security

Share this guide

Published on
January 21, 2025
Blog

Related posts

See more

A Foundation You Can Trust

Get a stronger AppSec foundation you can trust and prove it’s doing the job right.

Request a Demo