What is an Attestation of Compliance?

What Does an Attestation of Compliance Mean?

An Attestation of Compliance (AOC) is the official declaration that a merchant or service provider has met all applicable PCI DSS requirements. Think of it as the signed certificate that accompanies your compliance evidence — whether that evidence comes from a Self-Assessment Questionnaire (SAQ) or a full Report on Compliance (ROC) produced by a Qualified Security Assessor.

The AOC does not replace the SAQ or ROC. Instead, it is a summary document that confirms the assessment has been completed and the organisation is compliant. It is the document most commonly requested by acquiring banks, payment processors, and business partners when they need proof of your PCI DSS status.

Who Needs an AOC?

Any organisation that processes, stores, or transmits cardholder data needs to validate its PCI DSS compliance. The AOC is required for:

• Merchants — Businesses that accept card payments, regardless of size or transaction volume.
• Service providers — Companies that handle card data on behalf of other businesses, such as payment processors, hosting providers, and managed security services.

Your acquiring bank or the payment brands you work with (Visa, Mastercard, etc.) will specify how often you must submit your AOC and which validation method is required.

How the AOC Works in Practice

For SAQ-based validation

If your business completes a Self-Assessment Questionnaire, the AOC is a section within the SAQ document itself. You sign it to confirm that the information provided is accurate and that your organisation meets the applicable requirements. This is then submitted to your acquirer.

For ROC-based validation

Larger organisations that undergo a formal on-site audit receive a Report on Compliance from their QSA. The AOC accompanies this report as a separate document, signed by both the QSA and an officer of the assessed organisation.

Why the AOC Matters

Without a valid AOC, your business cannot demonstrate PCI DSS compliance to partners, acquirers, or payment brands. This can result in:

• Fines from payment card brands
• Increased transaction processing fees
• Loss of the ability to accept card payments
• Liability exposure in the event of a data breach

The AOC is typically valid for one year and must be renewed through annual reassessment. Keeping your AOC current is essential for maintaining trust with your payment partners and protecting your business from penalties.

Common Misconceptions

Some businesses mistakenly believe that completing a SAQ automatically makes them compliant. In reality, the SAQ identifies gaps, and the AOC confirms those gaps have been addressed. If your SAQ reveals controls that are not in place, you must remediate them before signing the AOC.