Frequently Asked Questions

< Back to search page

Can an Attestation of Compliance (AOC) be provided to an assessed entity before the Report on Compliance (ROC) is finalized?

FAQ Response

No, an Attestation of Compliance (AOC) cannot be provided to an assessed entity before the Report on Compliance (ROC) is finalized. The AOC must be completed as a declaration of the results of the assessment with the Payment Card Industry Data Security Standard Requirements and Security Assessment Procedures (PCI DSS).  Within “Section 2: Report on Compliance” of the AOC, it is stated that the AOC “reflects the results of an onsite assessment, which is documented in an accompanying Report on Compliance (ROC)” and there the assessor must provide the date of the assessment documented in the attestation and in the ROC, which again enforces the intent that the ROC is finalized prior to the execution of the AOC.  

February 2016
Article Number 1375