PCI Compliance8 April 202610 min read

What Is AOC? Attestation of Compliance Explained

An AOC proves your PCI DSS compliance to partners, acquirers, and clients. Here's what it covers, who needs one, and how to get one.

By Curtis Nash
What Is AOC? Attestation of Compliance Explained

If you process, store, or transmit payment card data — or if you use a vendor who does — you'll eventually be asked for an Attestation of Compliance. Usually by your acquiring bank. Sometimes by a client who wants to verify your security posture before signing a contract. Occasionally by a partner conducting a vendor assessment.

An AOC is your formal declaration that you've completed a PCI DSS assessment and the result of that assessment. Here's what it is, what it isn't, and how to get one.

What an AOC Actually Is#

An Attestation of Compliance is a document that summarises the results of a PCI DSS assessment. It records:

  • Who completed the assessment (you, your QSA, or your internal security assessor)
  • When it was completed
  • What scope was assessed (which systems, processes, and locations are included)
  • Which SAQ type or ROC (Report on Compliance) was used
  • Whether the assessment resulted in full compliance, compliance with identified exceptions, or non-compliance

The AOC is signed by an authorised representative of your organisation — typically the Chief Information Security Officer, Chief Financial Officer, or another senior leader who can take legal responsibility for the statement. For assessments conducted by a QSA, the AOC is also signed by the QSA.

It's worth being precise about what an AOC is not: it's not the full assessment report. If you're using a QSA, the full Report on Compliance (ROC) is typically a lengthy document covering every PCI DSS requirement in detail. The AOC is the summary that gets shared externally. The ROC usually stays internal unless specifically requested by your acquirer.

Who Needs an AOC#

Any organisation that is in scope for PCI DSS can produce an AOC. Whether you're required to share it depends on your merchant agreement and your relationships with partners and clients.

As a general rule:

  • Merchants are typically required to provide an AOC to their acquiring bank annually. The specific format and assessment type depends on the merchant level.
  • Service providers — organisations that process, store, or transmit cardholder data on behalf of merchants — are required to maintain their own PCI DSS compliance and are often asked to provide their AOC to merchant clients as part of due diligence.
  • Business partners conducting vendor assessments will frequently ask for an AOC as evidence of a supplier's security posture.

If you're a merchant who uses a third-party payment processor, your processor's AOC is part of how you demonstrate that the payment function is handled compliantly. Their compliance doesn't remove your own PCI DSS obligations — you still need to complete your own assessment — but it contributes to your overall compliance picture.

Two Types: Merchant AOC vs Service Provider AOC#

There are two distinct AOC forms published by the PCI Security Standards Council, and using the right one matters.

Merchant AOC

The merchant AOC is used by businesses that accept payment cards directly from customers. There are different versions corresponding to each SAQ type (SAQ A, SAQ B, SAQ B-IP, SAQ C-VT, SAQ C, SAQ D, and so on). The SAQ type you use depends on how you process cards — whether you use a fully outsourced card page, a card machine, manual key entry, or a more complex integrated environment.

For very large merchants (those processing more than 6 million Visa or Mastercard transactions annually), a full Report on Compliance conducted by a QSA is required rather than a self-assessment. These merchants still produce an AOC as part of that process.

Service Provider AOC

Service providers use a different AOC form, which is more detailed than the merchant version. This reflects the fact that service providers take on compliance responsibilities on behalf of multiple merchants, and the merchants who use them need clear documentation of exactly what the service provider covers and what remains the merchant's responsibility.

The service provider AOC includes a section on "shared responsibilities" — a breakdown of which PCI DSS requirements the service provider handles and which remain with the customer. This is important for merchants, because they need to understand exactly what they're inheriting from their service provider's compliance and what gaps they still need to fill themselves.

Paytia is a PCI DSS Level 1 service provider. We maintain a current AOC which our customers can reference to support their own compliance assessments. The shared responsibilities section of our AOC clarifies precisely what our platform covers — including DTMF masking, call recording isolation, and secure payment processing — so that merchants using Paytia know what they don't need to validate themselves.

The Assessment Process Behind an AOC#

An AOC doesn't exist in isolation — it's the output of a completed PCI DSS assessment. The path to that assessment depends on your merchant or service provider level.

Self-Assessment (SAQ)

Most small and medium merchants complete a Self-Assessment Questionnaire. This is a structured set of yes/no questions corresponding to the PCI DSS requirements applicable to their environment. Each SAQ type has a different scope — SAQ A is the simplest (for merchants who fully outsource card handling) while SAQ D covers the full set of requirements.

After completing the SAQ, you sign the accompanying AOC document and submit it to your acquirer. A QSA doesn't need to be involved for SAQ-level assessments, though many organisations choose to engage one for guidance.

QSA Assessment (ROC)

Larger merchants and service providers undergo a formal assessment by a Qualified Security Assessor. The QSA conducts an on-site review, interviews staff, examines evidence, and tests controls across all in-scope systems. The output is a Report on Compliance, and the QSA co-signs the accompanying AOC.

The QSA assessment is significantly more rigorous than self-assessment — and significantly more expensive. But for organisations at the volume thresholds that require it, or those that want the strongest possible evidence of compliance, it's the appropriate path.

Why Acquirers and Partners Ask for It#

Your acquiring bank holds contractual responsibility for ensuring that the merchants they sponsor are PCI compliant. If a merchant suffers a breach and is found to be non-compliant, the acquirer can face significant penalties from the card networks. The AOC is the mechanism by which merchants demonstrate compliance to their acquirer.

For partner and vendor assessments, the AOC serves a different purpose: it's a credible, standardised document that allows a procurement or security team to assess whether a supplier meets minimum security requirements without conducting a full audit themselves. It's not a substitute for due diligence — a sophisticated buyer will ask follow-up questions — but it provides a solid starting point.

How Long Is an AOC Valid?#

PCI DSS compliance assessments are annual. An AOC is valid for twelve months from the date it was completed. Most acquirers will request an updated AOC each year as part of their ongoing compliance management programme.

If your environment changes significantly during the year — you add a new payment channel, change your card processor, or substantially modify your infrastructure — you may need to conduct an interim assessment rather than waiting for the annual cycle.

What Happens If You Can't Produce an AOC#

If you can't produce a current AOC when your acquirer or a partner requests one, the consequences depend on who's asking and why.

For acquirers, persistent failure to provide a compliant AOC can result in fines, increased transaction fees, or in extreme cases, termination of your merchant agreement. Card networks publish their own non-compliance fee schedules, and acquirers pass these through to merchants.

For partner and client assessments, inability to provide an AOC may result in failing vendor qualification criteria or being removed from an approved supplier list. For organisations selling to enterprise clients, this can be a commercial issue as significant as any technical compliance gap.

Using Your Service Provider's AOC#

If you use third-party services to handle card payments, your service provider's AOC is a tool, not a crutch. It demonstrates that the payment processing function you've outsourced is handled compliantly — which is genuine evidence that reduces the scope of what you need to assess and control yourself.

But it doesn't eliminate your own compliance obligations. You still need to complete your own assessment, covering the parts of your environment that remain in scope. The service provider's AOC fills in one part of the picture; your own assessment fills in the rest.

When choosing a payment vendor, ask for their AOC before you sign a contract. Check that it's current (within the last 12 months), covers the services you'll actually be using, and includes a clear shared responsibilities section. A vendor who is reluctant to share their AOC — or who doesn't have one — is a vendor whose compliance you should question.

Paytia's Level 1 service provider AOC is available to prospective and current customers on request. Get in touch if you'd like to see it.

Related Articles

PCI DSS v4.0.1: 2026 Contact Centre Buyer's GuideGuide
PCI Compliance

PCI DSS v4.0.1: 2026 Contact Centre Buyer's Guide

What changed in PCI DSS v4.0.1, where contact centres usually fail, and how a DTMF masking architecture takes up to 96% of operations out of PCI scope. Written by a PCI DSS Level 1 service provider since 2016.

Read more →
HIPAA vs PCI DSS: What Healthcare Providers Need to Know
Payment Technology

HIPAA vs PCI DSS: What Healthcare Providers Need to Know

Healthcare contact centres handle patient data and card data on the same call. Here's how HIPAA and PCI DSS overlap, and where they don't — and why your call recordings create a compliance headache.

Read more →
Descoped Meaning: PCI Scope Reduction Explained
PCI Compliance

Descoped Meaning: PCI Scope Reduction Explained

Descoping means taking sensitive card data completely out of your business environment so it never touches your systems, staff, or call recordings. This guide explains how it works, why it matters for PCI DSS, and what it can save you.

Read more →

Ready to take secure payments?

Plugs into the phone system you already run. No hardware, no software installs, no rebuild. Just secure, PCI-compliant payments.

PCI DSS Level 1
Cyber Essentials Plus
Request a DemoBack to Blog

Trusted by law firms, insurers, healthcare providers and regulated businesses worldwide. Learn more about Paytia