What is a Report on Compliance?

What a Report on Compliance Is

A Report on Compliance (RoC) is the most detailed and rigorous form of PCI DSS compliance documentation. It is produced by a Qualified Security Assessor (QSA) after conducting a thorough on-site assessment of an organisation's cardholder data environment. The RoC documents every PCI DSS requirement, describes how the organisation meets (or does not meet) each one, and provides the evidence supporting those conclusions.

If the Attestation of Compliance (AoC) is the summary certificate, the RoC is the full audit report behind it. It typically runs to hundreds of pages and provides a thorough picture of an organisation's security posture as it relates to payment card data.

Who Needs a RoC

Not every organisation needs a Report on Compliance. RoCs are required for Level 1 merchants (those processing more than six million card transactions per year) and Level 1 service providers (those that store, process, or transmit cardholder data on behalf of other organisations).

Smaller merchants and service providers typically validate compliance through Self-Assessment Questionnaires (SAQs), which are less detailed but follow the same underlying requirements. However, some acquiring banks or business partners may request a RoC even from organisations that are not strictly required to produce one, particularly where the relationship involves handling large volumes of sensitive data.

Paytia, for example, maintains a RoC as part of its PCI DSS Level 1 certification. This gives Paytia's clients confidence that the platform they are trusting with their customers' card data has been independently and rigorously assessed.

What the RoC Contains

A RoC follows a structured template provided by the PCI SSC. It covers every one of the PCI DSS requirements in detail, organised into the following sections.

Executive Summary

A high-level overview of the assessment, including the scope, key findings, and overall compliance status. This section gives the reader the bottom line before diving into the details.

Scope of Assessment

A detailed description of the cardholder data environment that was assessed. This includes network diagrams, data flow diagrams, lists of systems and applications in scope, and descriptions of how card data enters, moves through, and leaves the environment. The scope section is critical because it defines the boundaries of the assessment -- anything outside the stated scope has not been assessed.

Requirement-by-Requirement Assessment

This is the bulk of the document. For each of the PCI DSS requirements (and their sub-requirements), the RoC describes the controls in place, the testing procedures the QSA performed, the evidence gathered, and whether the requirement is met, not met, or met with compensating controls.

For example, under Requirement 3 (Protect Stored Account Data), the RoC would describe what cardholder data is stored, how it is encrypted, who has access, how access is controlled, and what the QSA did to verify these controls are working.

Compensating Controls

If an organisation cannot meet a specific requirement as stated but has implemented alternative controls that provide equivalent security, these are documented as compensating controls. Each compensating control worksheet explains the constraint that prevents compliance with the original requirement, the objective of the original requirement, and how the compensating control meets that objective.

The RoC Process

Producing a RoC is a significant undertaking. The process typically unfolds over several weeks or months, depending on the size and complexity of the cardholder data environment.

• Engagement planning The QSA and the organisation agree on the scope, timeline, and logistics of the assessment. This includes identifying key contacts, scheduling site visits, and determining which systems and processes need to be examined.
• Documentation review The QSA reviews security policies, procedures, network diagrams, data flow diagrams, and other documentation before the on-site visit. This helps identify potential gaps early and makes the on-site work more efficient.
• On-site assessment The QSA visits the organisation's facilities (or conducts the assessment remotely, where permitted) to test controls, examine systems, review configurations, and interview staff. This is where the QSA gathers the evidence that will support the findings in the RoC.
• Gap remediation If the QSA identifies controls that are not in place or not working effectively, the organisation has an opportunity to fix them during the assessment window. The QSA will then re-test the remediated controls before finalising the RoC.
• Report writing The QSA compiles the findings into the RoC template, documenting every requirement, the testing performed, and the evidence gathered. This is the most labour-intensive part of the process.
• Finalisation The completed RoC is reviewed by the organisation, signed by both parties, and submitted along with the Attestation of Compliance to the relevant acquiring banks or card brands.

RoC and Telephone Payments

For organisations that process telephone payments, the RoC will include detailed assessment of the telephony environment. The QSA will examine how card data is captured during phone calls, whether call recordings contain cardholder data, how agent workstations are secured, and what controls protect the voice channel.

Organisations using DTMF masking can significantly simplify this section of the RoC. Because card data never enters the telephony environment, the QSA can confirm that the telephony systems, agent workstations, and call recording platform are outside the scope of the assessment. The focus shifts to the relationship with the DTMF masking provider and their PCI DSS Level 1 certification, rather than the merchant's own infrastructure.

This scope reduction can save weeks of assessment time and significantly reduce the cost of the QSA engagement.

RoC vs SAQ

The Report on Compliance and the Self-Assessment Questionnaire serve the same fundamental purpose -- validating PCI DSS compliance -- but they differ significantly in depth and rigour.

• RoC Produced by an independent QSA. Involves on-site testing, evidence gathering, and staff interviews. Hundreds of pages long. Required for Level 1 organisations.
• SAQ Completed by the organisation itself (self-assessment). No independent verification required (though a QSA can assist). Much shorter and simpler. Used by Level 2, 3, and 4 merchants.

The RoC provides much greater assurance because the assessment is conducted by an independent, qualified third party. This is why Level 1 organisations -- those processing the highest volumes of transactions or those handling card data on behalf of others -- are required to go through the full RoC process.