Glossary/Report on Compliance (ROC)

What is a Report on Compliance?

A Report on Compliance (ROC) is the formal document produced by a Qualified Security Assessor (QSA) after conducting an on-site PCI DSS assessment. It provides a detailed record of the organisation's compliance status against every requirement of the standard. ROCs are required for Level 1 merchants and large service providers.

What a ROC Contains

A ROC is a comprehensive document that covers every requirement and sub-requirement of PCI DSS. For each requirement, the QSA records:

  • Whether the requirement was found to be in place, not in place, or not applicable
  • The testing procedures performed to validate compliance
  • The evidence reviewed, including documentation, system configurations, and interview responses
  • Any compensating controls used in place of the standard requirement

The ROC follows a standardised template provided by the PCI SSC, ensuring consistency across assessments regardless of which QSA company conducts the audit.

Who Needs a ROC

A ROC is required for:

  • Level 1 merchants — organisations processing over 6 million card transactions per year
  • Level 1 service providers — companies that store, process, or transmit card data on behalf of other businesses, exceeding volume thresholds set by the card brands
  • Any organisation whose acquiring bank or card brand requires a formal assessment rather than self-assessment

Smaller merchants and service providers typically complete a Self-Assessment Questionnaire (SAQ) instead, which is a shorter, less detailed process.

ROC vs AOC

The ROC and the Attestation of Compliance (AOC) are produced together but serve different purposes. The ROC is the detailed assessment report containing all findings and evidence. The AOC is a summary document that confirms the assessment was completed and states the overall compliance result.

The AOC is typically what organisations share with their acquiring banks, business partners, and clients. The full ROC is a confidential document that is not normally shared externally due to the sensitive security information it contains.

The Assessment Process

A ROC assessment typically involves:

  • Scoping — identifying all systems, networks, and processes within the cardholder data environment
  • Document review — examining security policies, procedures, and network diagrams
  • Technical testing — verifying configurations, access controls, encryption, and monitoring
  • Staff interviews — confirming that personnel understand and follow security procedures
  • Observation — watching processes in action to verify they match documented procedures

The assessment is conducted annually, with the QSA expected to verify that controls are operating effectively on an ongoing basis, not just at the point of assessment.

How Paytia Uses This

Paytia holds a Report on Compliance as a PCI DSS Level 1 service provider, independently assessed by a Qualified Security Assessor each year. This is the highest level of PCI DSS certification available, confirming that every aspect of Paytia's platform meets the standard's requirements.

For Paytia's clients, this ROC provides assurance that the payment infrastructure they depend on has been thoroughly audited. Clients can reference Paytia's compliance status in their own PCI DSS assessments, and by using Paytia to handle card data, they can significantly reduce the scope of their own compliance obligations.

PCI DSS Compliance

Frequently Asked Questions

Is a ROC the same as PCI DSS certification?

A ROC confirms that an organisation was found to be compliant at the time of assessment. There is no formal PCI DSS 'certification' — compliance is validated through either a ROC (for Level 1 entities) or a Self-Assessment Questionnaire (for smaller organisations). The ROC is the most thorough form of validation available.

How long is a ROC valid?

A ROC covers a specific point-in-time assessment and is valid for one year. Organisations must complete a new assessment annually to maintain their compliance status. PCI DSS v4.0 places greater emphasis on demonstrating that controls are maintained continuously between assessments.

Can I ask a service provider to share their ROC?

ROCs contain detailed security information and are typically treated as confidential. Most service providers will share their Attestation of Compliance (AOC) instead, which confirms their compliance status without revealing sensitive technical details. You can request to review a ROC under a non-disclosure agreement if needed.

Related Terms

Qualified Security Assessor (QSA)Attestation of CompliancePCI DSSPCI DSS ComplianceSAQ / Self-Assessment

See how Paytia handles report on compliance (roc)

Book a personalised demo and we'll show you how our platform works with your setup.

Request a Demo