What is an Attestation of Compliance?

What an Attestation of Compliance Is

An Attestation of Compliance (AoC) is a formal declaration that an organisation has been assessed against the PCI DSS requirements and has been found to be compliant at the time of the assessment. It is the official document that proves you have done the work -- implemented the security controls, undergone the assessment, and met the standard.

Think of it as a certificate of completion. It does not describe every technical detail of how you achieved compliance (that is covered in the Report on Compliance or SAQ), but it provides the summary statement that acquiring banks, card brands, and business partners need to see.

Who Needs an AoC

Every organisation that processes, stores, or transmits cardholder data needs to validate its PCI DSS compliance, and the AoC is the document that records that validation. This includes merchants of all sizes, payment service providers, payment gateways, hosting providers, and any other entity in the payment chain.

In practical terms, your acquiring bank or payment processor will periodically ask for your AoC to confirm that you are compliant. If you cannot produce a valid, current AoC, you may face increased fees, restrictions on your ability to process transactions, or penalties from the card brands.

How the AoC Is Created

The process for producing an AoC depends on your organisation's size and compliance level.

For Level 1 Merchants and Service Providers

Level 1 organisations -- typically those processing more than six million transactions per year -- must undergo a full on-site assessment conducted by a Qualified Security Assessor (QSA). The QSA examines every aspect of the cardholder data environment, tests controls, reviews documentation, and interviews staff. At the conclusion of the assessment, the QSA produces both a Report on Compliance (RoC), which is a detailed document running to hundreds of pages, and the AoC, which summarises the findings.

For Smaller Merchants

Merchants at Levels 2, 3, and 4 typically validate compliance through a Self-Assessment Questionnaire (SAQ). The SAQ is a structured set of yes/no questions that the merchant completes to confirm they meet the relevant PCI DSS requirements. Each SAQ type has its own corresponding AoC template that the merchant signs once the questionnaire is complete.

What the AoC Contains

While the format varies slightly depending on whether it accompanies a RoC or an SAQ, every AoC includes the following key information.

• Organisation details The legal name, trading names, and contact information of the assessed entity
• Assessment scope A description of what was assessed, including the systems, networks, and processes covered
• Assessment date When the assessment was completed -- this is important because PCI DSS compliance is a point-in-time validation, not a permanent status
• Compliance status Whether the organisation was found to be compliant, non-compliant, or compliant with compensating controls
• QSA details For Level 1 assessments, the name and credentials of the QSA firm and the individual assessor who conducted the assessment
• Signature The AoC is signed by an authorised representative of the assessed organisation (and by the QSA for Level 1 assessments), confirming the accuracy of the information

How Long an AoC Is Valid

An AoC is valid for one year from the date of the assessment. After that, the organisation must undergo a new assessment and produce a fresh AoC to maintain its compliant status. This annual cycle ensures that security controls are regularly reviewed and that organisations do not become complacent after achieving compliance once.

It is worth emphasising that PCI DSS compliance is not a one-and-done exercise. The AoC confirms compliance at a specific point in time. The organisation is expected to maintain its controls continuously throughout the year, not just during the assessment period.

AoC and Telephone Payments

For businesses that take payments over the phone, the scope of the AoC depends heavily on how card data is captured and handled during calls. If agents manually type card details into a virtual terminal, the agent workstations, telephony systems, call recordings, and local network all fall within the assessment scope. This typically means a more complex SAQ (such as SAQ C or SAQ D) and a correspondingly detailed AoC.

By contrast, organisations that use DTMF masking to prevent card data from entering their environment can often qualify for the simpler SAQ A. The AoC in this case covers a much smaller scope because the cardholder data never touches the merchant's systems -- it is captured by the payment provider's PCI DSS Level 1 certified platform and routed directly to the processor.

This difference can be transformative. A SAQ D assessment might involve hundreds of individual requirements and weeks of preparation. A SAQ A assessment, by contrast, covers a fraction of those requirements and can often be completed in a matter of days.

Sharing Your AoC

Your AoC is typically shared with your acquiring bank, payment processor, and any business partners who need assurance that you handle card data securely. It is common for organisations to be asked for their AoC during vendor due diligence, contract negotiations, or when onboarding new clients.

While the AoC itself is not usually considered confidential, the underlying Report on Compliance or completed SAQ contains detailed technical information about your security controls and should be shared with more caution. Most organisations share the AoC freely but limit access to the full RoC or SAQ to parties who genuinely need it.