Attestation of Compliance
The Attestation of Compliance (AOC) is a formal document used in the Payment Card Industry Data Security Standard (PCI DSS) compliance process. It serves as an organization's declaration that it has met PCI DSS requirements for securing cardholder data. Here’s a detailed breakdown:
1. Purpose of the AOC
- The AOC is a confirmation statement that the organization has completed its PCI DSS assessment and is compliant.
- It is submitted to acquiring banks, payment brands, or other stakeholders to demonstrate compliance.
2. Who Needs an AOC?
- Merchants and Service Providers who handle cardholder data.
- Required by organizations that process, store, or transmit payment card data.
3. When is it required?
- After completing a Self-Assessment Questionnaire (SAQ) or a Report on Compliance (ROC).
- Typically required annually or upon a significant environmental change.
4. Components of the AOC
The AOC includes:
- Organization Information: Name, address, contact details.
- Assessment Details:
- Type of assessment (SAQ or ROC).
- Date of assessment.
- Scope of Compliance:
- Systems, processes, and locations covered.
- Validation Method:
- Whether compliance was validated by a Qualified Security Assessor (QSA) or internally.
- Attestation Statement:
- Signed by an authorized officer confirming compliance.
5. Types of AOC
- Merchant AOC: For businesses accepting card payments.
- Service Provider AOC: For companies providing services that involve cardholder data.
6. Why is it Important?
- Demonstrates due diligence in protecting cardholder data.
- Helps avoid fines and penalties from payment brands.
- Builds trust with partners and customers.
7. Common Mistakes
- Incorrect scope definition.
- Missing signatures or incomplete details.
- Submitting outdated versions of the AOC template.
No comments:
Post a Comment