What Is a PCI ROC + When Do You Need One?

A PCI Report on Compliance (ROC) is a comprehensive assessment that demonstrates an organization's compliance with PCI DSS requirements.
Troy Fine

by Troy Fine

September 29, 2023

According to Verizon’s 2022 Payment Security Report, just 43% of organizations achieved full compliance during their Payment Card Industry Data Security Standard (PCI DSS) compliance validation. This leaves more than half of organizations and the data they manage at risk of data breaches. 

Any organization that handles credit or debit card data, or accepts credit or debit card payments must ensure PCI compliance. For some businesses, this means you’ll need to complete a PCI Report on Compliance (ROC). 

In this post, we’ll cover everything you need to know about a PCI ROC, including who needs one, how the process works, and what to do if you fail it. 

What Is a Report on Compliance (ROC)?

A Report on Compliance is an on-site comprehensive assessment conducted by a qualified security assessor (QSA) that demonstrates an organization's PCI compliance. 

The PCI is a set of security standards designed to ensure organizations that handle credit card transactions maintain a secure environment to protect cardholder data. A PCI ROC audit will evaluate whether your company complies with all 12 PCI DSS requirements, including:

  1. Protect cardholder data by installing a firewall.

  2. Do not use vendor-default passwords and security parameters.

  3. Protect stored cardholder data through encryption.

  4. Encrypt cardholder data in transit.

  5. Protect all systems against malware.

  6. Develop and maintain secure systems and applications.

  7. Restrict access to cardholder data to authorized personnel only.

  8. Authenticate access to all systems.

  9. Restrict physical access to cardholder data.

  10. Track and monitor all access to network resources and cardholder data.

  11. Regularly test security systems and processes.

  12. Maintain a policy that addresses information security for all personnel.

Who Needs To Complete a PCI ROC?

An ROC is required for Level 1 merchants and service providers, as well as any merchant that has experienced a data breach involving cardholder data. Level 2 merchants may also require an ROC depending on specific credit card brand requirements (Visa, Mastercard, Discover, etc.).

Typically, Level 2, 3, and 4 merchants and service providers will complete a self-assessment questionnaire (SAQ).

It's important to determine your organization’s specific PCI compliance level, as this will dictate the type of assessment or questionnaire you need to complete to demonstrate compliance. 

While businesses will conduct an annual ROC or SAQ, they must also complete quarterly external Approved Scanning Vendor (ASV) vulnerability scans. These are  security assessments conducted by authorized third-party ASVs to evaluate an organization's external-facing networks and systems. 

Here’s a breakdown of the PCI compliance validation levels and their criteria:

  • PCI Level 1 Merchant – ROC and quarterly external ASV scans

  • PCI Level 2 Merchant – ROC or SAQ (varies based on credit card brand) and quarterly external ASV scans 

  • PCI Level 3 Merchant – SAQ and quarterly external ASV scans

  • PCI Level 4 Merchant – SAQ and quarterly external ASV scans

  • PCI Level 1 Service Provider – ROC and quarterly external ASV scans

  • PCI Level 2 Service Provider – SAQ and quarterly external ASV scans



While Level 1 merchants and service providers require a PCI ROC, smaller merchants and service providers (Levels 2, 3, and 4) will conduct a SAQ to evaluate PCI compliance. Again, some Level 2 merchants may still be required to complete an ROC depending on the specific requirements set by the payment card brands.

A SAQ is a self-assessment tool that allows businesses to report on their security measures and practices without an on-site assessment by a QSA, and can help determine if the organization meets PCI requirements for its level. A business completes the SAQ based on its specific payment processing methods and security measures. 

The PCI ROC Process: 6 Steps 

An ROC assessment involves a thorough on-site review by a QSA of an organization's security policies, procedures, and controls related to the handling of cardholder data.

The QSA will utilize an ROC reporting template to summarize their findings, including controls and documentation provided during the audit. After completing the assessment, the QSA will present the findings to the company's acquiring bank. If accepted, the ROC will be forwarded to payment brands for verification.

Follow these six steps to guide you through the process of completing your PCI ROC.


Step 1. Find a QSA

To begin the PCI ROC process, you’ll need to hire a reputable and qualified QSA.  Coordination and cooperation with the QSA are vital for a smooth and successful assessment.

To help ensure a QSA is the right fit for your organization, you should:

  • Look for QSAs with relevant experience in your industry and with your size of business. 

  • Reach out to potential QSAs and request proposals outlining their assessment process, scope, timeline, pricing, and other relevant details. 

  • Ask for references from previous clients and check online reviews and testimonials to gauge the QSA's reputation and the quality of their work.

  • Arrange meetings or video calls with potential QSAs to discuss your organization's specific needs, and ask questions about their assessment approach.

To kick-start your search for a QSA, check Drata's list of pre-vetted auditors.

Step 2. Share Documentation With Your QSA

Once you have a QSA, you’ll need to gather and share necessary documentation with them. The specific documents required may vary based on your organization's size, complexity, and the QSA's assessment methodology, but you should be prepared to share:

  • Security policies and procedures

  • Maps of your data flows

  • Information about your networks and payments apps

  • Security controls documentation

  • User access management policies

  • Incident response plan

  • Evidence of security awareness training

  • Recent security assessment reports

  • Previous ROC reports (if applicable)

Work closely with your QSA to understand their specific requirements and expectations for documentation. Preparing and organizing the necessary documents in advance will facilitate a smoother and more efficient ROC assessment process.

Step 3. QSA Conducts Their Assessment

The QSA will proceed with their assessment, which involves an audit and a comprehensive review of your controls, including documentation examination and control testing. During this process, the QSA will test the 12 requirements for PCI compliance.

The on-site audit could involve the following:

  • Interviews and evidence gathering: The QSA interviews personnel from relevant departments handling payment card data, collecting evidence to validate security controls and assess PCI compliance.

  • Network scanning and testing: The QSA conducts vulnerability scans and penetration tests to identify security vulnerabilities in the organization's systems and networks.

  • Validation of security controls: The QSA assesses the effectiveness of security controls in place, including encryption, access management, firewall configurations, logging, and monitoring.

  • Questionnaires and testing documentation: The QSA may employ questionnaires and testing documentation for in-depth information on specific PCI requirements.

The QSA will document their findings throughout the audit, including any non-compliance issues or areas for improvement. 

Step 4. QSA Fills Out the ROC

After completing the assessment, the QSA will assemble their findings into an ROC, presenting a detailed overview of the organization's PCI compliance status, including evidence and recommendations.

In the summary of findings, you could get the following results:

  • In Place: The testing was conducted as expected, and all requirement elements have been met as specified.

  • In Place with Remediation: The requirement was not initially met during the assessment, but was successfully remediated before the assessment's completion.

  • Not Applicable: The requirement is not applicable to the organization's environment. 

  • Not in Place: Some or all aspects of the requirement have not been completely fulfilled, and they are either in the process of implementation or need further testing to verify their compliance.

  • In Place with Compensating Control: The required testing has been conducted, and the requirement has been met with the assistance of a compensating control.


Step 5. Remediate Any Compliance Gaps Described in the ROC

If your QSA identifies gaps or areas of non-compliance during your assessment (Not in Place), you’ll need to develop a remediation plan that outlines the steps required to address each identified gap.

You can work with the QSA to validate the effectiveness of your remediation efforts. Some gaps may require retesting or additional assessment to ensure they have been successfully addressed.

Step 6. QSA Completes an Attestation of Compliance (AOC)

Once gaps have been remedied, the QSA will complete an attestation of compliance (AOC). This document confirms that an organization has undergone its assessment and is compliant with the PCI requirements.

The QSA will present the AOC and ROC to the organization’s acquiring bank and relevant payment card brands for verification and validation of compliance.

What Does a Report on Compliance Include?

An ROC is a hefty 200+-page templated report provided by the PCI Security Standards Council (SSC). The specific contents of the ROC may vary based on the organization's size and complexity and the QSA's assessment approach. However, a typical ROC includes the following key components:

  • Executive summary: This section overviews the report's findings concerning cardholder data security.

  • Scope of the report: This section clarifies what the compliance officer reviewed and what was not included in the assessment.

  • Review of the compliance process: This section describes the compliance process, including the organization’s procedures and processes to meet requirements and how they function.

  • Summary of findings: This section assesses the effectiveness of the processes. It highlights the process’s strengths, weaknesses, identified risks, and the overall results of the compliance assessment.

  • Next steps: This section covers recommendations on how the organization can improve its compliance moving forward and address any shortcomings identified during the assessment.

What Happens if You Fail an ROC?

Failure to comply with PCI requirements can result in penalties, fines, and the potential loss of your ability to process payment card transactions, so adherence to the standards is crucial if your organization handles payment card data.

If your QSA identifies any gaps or non-compliance during their assessment, you’ll need to develop a remediation plan to help close those security gaps. Your QSA may give you a 30-to-45-day window to remediate any non-compliance described in the ROC.

Prioritize actions based on their level of criticality and potential impact on security. For guidance, consider following the PCI SSC Prioritized Approach for PCI compliance—a six-step process for implementing requirements based on their priority levels.

Once remedied, continuously monitor and review your organization's security practices to maintain compliance and address any future changes or developments.


Below, we answer a few common questions about PCI ROCs.

How Often Do You Need To Be Assessed for an ROC?

In general, Level 1 merchants and service providers must undergo an audit with a full ROC at least once a year. Some Level 2 merchants may also be required to perform an annual ROC depending on specific credit card brand requirements.

In the event of data exposure, your company will be required to undergo an ROC, regardless of your PCI Level.

How Long Does It Take To Receive an ROC?

The duration of a QSA assessment typically ranges from three to four weeks. However, the timeframe can vary based on factors such as your company's credit card handling practices, merchant or service provider status, the scope of PCI, and the size of your cardholder data environment (CDE). 

How Long Is an ROC Valid?

An ROC is valid for one year from the date it is issued. Level 1 merchants and service providers must undergo re-certification on an annual basis. 

How Drata Can Help You Prepare for (and Pass) Your ROC

A PCI ROC serves as evidence that your business follows the necessary security measures to protect cardholder data, ensuring trust among customers, partners, and payment card brands. However, navigating the process can be overwhelming.

Drata offers an automated PCI DSS compliance solution, allowing you to manage controls and requirements from a unified dashboard. With Drata, you gain the tools to effortlessly monitor your security posture and maintain audit readiness.

Schedule a demo to learn more about how Drata can enhance your security compliance program no matter where you’re at in your journey.

Trusted Newsletter
Resources for you
PCI Compliance Checklist Hero

PCI DSS Compliance Checklist: Understanding the 12 Requirements

PCI Audits hero

PCI DSS Audit: What It Is + How to Prepare

Penetration testing hero

Penetration Testing: Why It’s Important + Common Types

Choosing the Right PCI SAQ for Your Business

Choosing the Right PCI SAQ for Your Business

Troy Fine
Troy Fine
Troy Fine is a 10-year former auditor, now Director of Compliance Advisory Services at Drata. He advises customers on building sound cybersecurity risk management programs that meet security compliance requirements. Troy is a CPA, CISA, CISSP, and CMMC Provisional Assessor. His areas of expertise include, GRC, SOC 2 audits, SOC 2+ examinations, CMMC, NIST 800-171, NIST 800-53, Sarbanes-Oxley Section 404 compliance, HITRUST, HIPAA, ISO 27001, and third-party risk management assessments.
Related Resources
PCI Compliance Checklist Hero

PCI DSS Compliance Checklist: Understanding the 12 Requirements

PCI Audits hero

PCI DSS Audit: What It Is + How to Prepare

Penetration testing hero

Penetration Testing: Why It’s Important + Common Types

Choosing the Right PCI SAQ for Your Business

Choosing the Right PCI SAQ for Your Business