What Is an Attestation of Compliance (AOC)?

Updated on June 2, 2026

The Attestation of Compliance (AOC) is a formal document showing that an organization has met the requirements of a specific security standard. The AOC accompanies one of two underlying validation documents: a Report on Compliance (ROC), produced by a Qualified Security Assessor (QSA) after an on-site audit, or a Self-Assessment Questionnaire (SAQ), which an eligible organization completes itself. It documents that the in-scope security controls were validated as of the assessment date.

In payment security, the AOC is most famously used to validate adherence to the Payment Card Industry Data Security Standard (PCI DSS). It is a critical governance document for compliance officers, auditors, and executives. The AOC provides assurance to partners, customers, and regulatory bodies that security measures are in place and effective. PCI SSC does not issue a PCI DSS “certificate” or compliance logo. The AOC, together with the underlying ROC or SAQ, is the recognized form of compliance validation.

Definition and Core Concepts

The AOC is a standardized form signed by a qualified party and a senior executive of the assessed organization. It formally attests that the security controls within the audit’s scope were effective at the time of assessment. It is a snapshot in time, documenting compliance status as of the assessment’s completion date.

Several foundational concepts are central to the AOC:

• PCI DSS (Payment Card Industry Data Security Standard): The primary standard for which the AOC is issued. It governs the security of environments that store, process, or transmit cardholder data.
• QSA (Qualified Security Assessor): An independent security professional certified by the PCI Security Standards Council (PCI SSC). A QSA is authorized to perform formal, on-site PCI DSS assessments and sign the AOC on that path.
• ROC (Report on Compliance): A comprehensive document generated by a QSA. The ROC outlines audit findings, testing methodologies, and evidence supporting the AOC. Where a ROC is required, the AOC summarizes it; where an SAQ is used instead, the AOC summarizes the SAQ.
• SAQ (Self-Assessment Questionnaire): A validation tool that SAQ-eligible merchants and service providers use to assess and report their own PCI DSS compliance. There are multiple SAQ types, each scoped to a specific kind of payment environment. Organizations that validate by SAQ complete and sign their own AOC.
• Scope: The clearly defined boundaries of the assessment, including people, processes, and technologies. The AOC is only valid for the specific scope defined.

How It Works: The Compliance Lifecycle

The AOC is the final product of a rigorous, multi-stage assessment process. This lifecycle ensures that compliance is thoroughly documented and verified. The process confirms both technical adherence and management accountability.

The compliance lifecycle includes the following stages:

• Assessment: The organization is assessed against all applicable PCI DSS requirements, either by a QSA through an on-site audit or through self-assessment. . This involves interviews, documentation review, and technical testing.
• Documentation of Results: For a QSA-led assessment, the QSA documents all findings and compliance status in the Report on Compliance (ROC). For a self-assessment, the organization records its results in the applicable SAQ.
• AOC Completion: Once any identified issues are remediated and full compliance is achieved, the AOC is completed and signed. On the QSA path, the QSA signs the AOC; on the self-assessment path, the organization signs its own AOC.
• Executive Co-signature: A senior executive from the assessed entity—such as the CEO, CFO, or CISO—then co-signs the form. This affirms management’s acceptance of responsibility for the compliance statement.
• Submission and Assurance: The organization submits the AOC to its acquiring bank or the payment brands (Visa, Mastercard, etc.). It serves as proof that the organization is securing cardholder data.

Key Features and Components

The AOC has several key features that make it a standardized and reliable document. These components ensure consistency and accountability in the compliance process. They provide a clear framework for reporting.

Key features of the AOC include:

• Standardized Form: The AOC uses a mandatory, standardized template provided by the PCI SSC. This ensures consistency in reporting across all organizations and assessments.
• Declaration of Responsibility: The form requires a signature from a senior corporate executive and, on the QSA path, from the independent assessor (QSA). This confirms both technical verification and management accountability.
• Compliance Date: The AOC explicitly states the date the assessment was completed. This date defines the exact point in time for which compliance is attested.

Use Cases and Applications

The AOC serves primarily as a governance and business-enablement tool. Whether and how an organization must validate compliance depends on its merchant or service provider level, which is set by its acquiring bank or the payment brands.. It is a critical document for maintaining trust with partners and customers.

The primary use cases include:

• PCI DSS Compliance: The AOC is the official document required to demonstrate adherence to the PCI DSS standard. The specific validation and reporting requirements, including whether a ROC or an SAQ applies, are determined by the organization’s level as set by its acquirer or the payment brands.
• Vendor Assurance (TPRM): Organizations performing Third-Party Risk Management (TPRM) require their payment-processing vendors to submit a current AOC. This proves they are securing customer data according to industry standards.
• Business Enablement: A valid AOC is commonly required by acquirers and payment brands for maintaining merchant status and for continuing to process credit card transactions.

Advantages and Trade-offs

The AOC provides significant advantages for demonstrating security compliance. However, it also has limitations that organizations must consider. Understanding these trade-offs is crucial for effective risk management.

Advantages:

• It provides a clear and universally recognized form of assurance regarding payment security.
• It forces management accountability through the executive co-signature requirement.

Trade-offs:

• The AOC is only a snapshot in time. An organization must maintain its security posture throughout the year, as an incident occurring after the AOC date may indicate a failure in continuous compliance.
• The process can be expensive and resource-intensive where a QSA audit is required.

Key Terms Appendix

• PCI DSS: Payment Card Industry Data Security Standard.
• SAQ: A self-assessment validation tool used by SAQ-eligible merchants and service providers.
• QSA: Qualified Security Assessor.
• ROC: Report on Compliance.
• Cardholder Data: Any personal data related to a cardholder (e.g., primary account number, name, expiration date).
• TPRM: Third-Party Risk Management.