A man holds a lime green credit card in one hand and uses a MacBook Pro trackpad with the other.

What Is a PCI Attestation of Compliance (AoC)?

How a PCI DSS Attestation of Compliance benefits your business

The payment card industry (PCI) has developed strict standards for businesses hoping to process payments using credit or debit cards. The PCI Data Security Standard (PCI DSS) helps ensure anyone taking card payments ensures adequate protection of payment data, and meeting it has become a de facto essential of modern business practices. Once a business meets those requirements, it can receive a PCI Attestation of Compliance (AoC) to show clients that it takes data security seriously and has implemented the necessary controls and procedures to keep their data safe.

Read on to learn more about the Attestation of Compliance PCI requirements, the benefits of displaying an AoC, and how to get one for your business.

Jump to a section…

What Is a PCI Attestation of Compliance?

How Do I Get an Attestation of Compliance?

How Can DuploCloud Help?

What Is a PCI Attestation of Compliance?

An Attestation of Compliance is a document that declares the corresponding organization has met the requirements of PCI DSS. It’s essentially the testimony that a PCI SSC-certified Qualified Security Assessor (QSA) has reviewed your business’s tools and procedures for protecting cardholder data and certified that they are up to snuff. The PCI Attestation of Compliance form is typically only one page long and doesn’t include the details of the testing process — just the assurance that a qualified, experienced assessor has approved a company’s systems as complying with PCI DSS.

PCI DSS isn’t a legal requirement for doing business. Instead, it’s established and overseen by the Payment Card Industry Security Standards Council (PCI SSC). Even without a government framework, the PCI SSC can impose punishments on businesses that fail to treat customer payment data with sufficient care. Monthly penalties imposed by payment processors for such a failure range from $5,000 per month to $100,000. Banks can even terminate your merchant account for coming up short of PCI DSS, preventing you from taking payments via cards. On the other hand, meeting PCI DSS helps to keep your business safe from cyber attacks and shows clients you have prioritized data security. Ultimately, meeting PCI DSS means not just saving money on fines and potential data breaches, but also raising revenue through acquiring safety-conscious clients.

Virtually every cloud platform operating in the United States has gone through the PCI DSS compliance process. That includes tech giants such as Amazon Web Services, whose clients can access its PCI Attestation of Compliance through AWS Artifact. Google Cloud offers a similar process for viewing PCI AoCs. 

Of course, not every company has Amazon’s or Google’s resources, and achieving PCI compliance can be expensive and time-consuming. That’s why DuploCloud built its automated DevOps platform with PCI DSS in mind, making it easy to deploy infrastructure according to the standard and earn an AoC in short order. Read our white paper to learn more.

New call-to-action

How Do I Get an Attestation of Compliance?

Earning a PCI Attestation of Compliance means satisfying the 12 components of PCI DSS 3.2, the most current version of the standard. These 12 components include security tools and best practices your business must incorporate to keep payment data safe, and it may take some time to assemble the right mix of in-house and à la carte solutions for your business. You should begin by determining the relevant PCI compliance level for your business, which corresponds to the volume of transactions you process. More transactions mean a higher level, and a higher level means more stringent requirements.

Each credit card company defines the levels slightly differently, but we’ll use Visa as a benchmark. It defines the levels as follows:

  • Level 4: Merchants processing fewer than 20,000 ecommerce transactions annually and all other merchants processing up to 1 million Visa transactions annually
  • Level 3: 20,000 to 1 million Visa ecommerce transactions annually
  • Level 2: 1-6 million Visa ecommerce transactions annually across all channels
  • Level 1: Merchants processing over 6 million Visa transactions annually across all channels or Global merchants identified as Level 1 by a Visa region

With your level in mind, review the 12 components of PCI DSS and apply solutions where necessary, documenting any tools and procedures implemented. Run a risk assessment with an eye toward potential vulnerabilities and produce a gap analysis that details where your measures have fallen short. Perform remediation to close those holes, again maintaining documentation for all of your tools and procedures.

Once you’ve got a fully documented system that adequately addresses all 12 PCI DSS standards, you can complete a Self-Assessment Questionnaire (SAQ). You can then hire a Qualified Security Assessor to review your SAQ, and if they’re satisfied with it they’ll provide you with an Attestation of Compliance you can then show to clients as proof of your commitment to rigorous data security.

Merchants of every level must undergo the SAQ and review process yearly. Only Level 1 businesses must undergo a full on-site PCI DSS audit every year. These businesses will also receive a Report on Compliance (ROC), which provides an in-depth assessment of their PCI compliance efforts. The AoCs issued for these large businesses also attest to the accuracy of the ROC.

How Can DuploCloud Help?

Developing secure tools and procedures for your organization ad hoc can mean mountains of work for your tech and legal teams, slowing your go-to-market time and resulting in hours of productivity lost to compliance rather than improving the business. DuploCloud recognizes not all businesses have the luxury of time to develop internal solutions for receiving an AoC for PCI compliance. That’s why we built our low- and no-code DevSecOps Automation platform with PCI DSS in mind. We’ve designed a suite of PCI DSS-compliant controls and corresponding documentation that can be implemented without the risk of human error and that a QSA can review quickly and easily. That means receiving an AoC, maintaining compliance, and reaching the market that much faster. For more information, read our whitepaper.