FAQ Response
Examples of AOC sections that might contain information considered to be sensitive include:
For many entities, sharing the AOC with business partners and customers may be preferred to sharing the full ROC. However, for the AOC to have value for this purpose, the information contained within must provide a meaningful summary of the assessed environment in order to provide partners/customers with assurance that the AOC actually represents the environment it is expected to. Entities should have a clear understanding and agreement with their business partners and customers about the information to be shared for the purposes of evidencing their compliance status.
Note: It is not permitted to redact any content from the signed AOC prior to submitting to a payment brand or acquirer for compliance validation purposes.
See also FAQ #1220: Are compliance certificates recognized for PCI DSS validation?
September 2015
Article Number 1354