How Long Is a ROC for PCI DSS 4.0?

Quick Hits: 

• ROC is a required form for Level 1 Visa merchants and possibly Level 2 merchants. 
• The PCI Security Standards Council manages the ROC standards. 
• A QSA files and submits the Report on Compliance forms for merchants. 
• Compliance requirements will depend on the merchant’s company size and volume of credit card transactions.  

What Is ROC? 

Report on Compliance (ROC) is a form that all Level 1 Visa merchants must complete that are undergoing a Payment Card Industry Data Security Standard (PCI DSS) audit. This form applies to Level 1 merchants that process more than 6 million Visa transactions yearly. Level 2 merchants that process 1 to 6 million transactions every year may also have to complete a ROC.  

The goal of a PCI ROC is to verify that a merchant is PCI compliant. The PCI DSS audit includes critical policies and procedures designed to increase the security of card-present and card-not-present transactions and help protect cardholder data against credit card fraud.  

As for PCI DSS, these standards were developed by the major credit card brands – American Express, Discover, Mastercard, Visa, and JCB. Aside from PCI DSS, other data security industry standards are used to help protect cardholder data, such as the International Organization for Standardization 27000, National Institute of Standards, and Technology Special Publication 800-53.   

How Does the ROC Work? 

Any business that stores, processes, or transmits credit card data must comply with PCI DSS, including retail and financial organizations. The PCI Security Standards Council is responsible for managing the standards that dictate the operational and technical guidelines for how organizations must handle payment transactions.  

How Long Does It Take to Complete a PCI ROC Assessment? 

In general, merchants can expect a PCI QSA assessment to take anywhere from 3 to 4 weeks. Keep in mind that every organization is unique. Therefore, the exact time it takes to conduct the assessments, document the findings, and prepare the ROC report will vary. The key takeaway here is to always prepare in advance, as the last thing any company wants is to be hit by compliance fines due to not meeting compliance requirements.  

Who Files the ROC? 

A PCI Qualified Security Assessor (QSA) typically completes the audit for merchants and fills out the ROC form. This is especially true for large organizations that handle millions of credit card transactions annually, as they are more likely to need a ROC to verify their PCI DSS compliance. After the form is completed, it’s sent to the merchant’s acquiring bank. Once the bank receives and accepts the ROC, it sends the document to Visa, which will verify the merchant is compliant.  

On the other hand, a merchant may have trained and certified staff as Internal Security Assessors (ISAs). An ISA can organize and conduct an internal assessment and complete a ROC. ISAs can also file a Self-Assessment Questionnaire (SAQ), which in some instances, a merchant can use a SAQ in place of an ROC and a formal audit. Whether a merchant can use a SAQ will depend on their company size and yearly credit card transaction volume.  

What Is In a PCI Report on Compliance? 

All merchants accepting, processing, or transmitting credit card data must conduct a Risk Assessment. This assessment must verify that the business meets the PCI DSS 12 Data Security Standards. After a company has obtained PCI compliance, it must receive yearly data security checks to maintain compliance. 

The Report on Compliance is used to confirm that a merchant that has been audited is compliant with PCI DSS standards. QSAs will use the ROC template to conduct the assessment, including specific reporting instructions and the mandatory template for QSAs to document PCI DSS assessments. This template ensures that assessors maintain a consistent level of reporting for each merchant.  

The audit will check various factors, such as internal data flows, data security policies and procedures, IT policies, networks used, and payment applications. A QSA will conduct a detailed on-site assessment of the merchant. Specifically, this assessment will include information about a merchant’s environment, security stance, and approach to protecting cardholder data. Furthermore, the form will also mention any security weaknesses found during the assessment.  

After the assessor is finished, they will provide a summary of their findings, which can help merchants and their stakeholders, clients, payment providers, and other interested parties understand and know their current status on PCI compliance.  

The required documents for different PCI levels are: 

• PCI Level 1 Merchant – ROC and Quarterly External ASV Scans 
• PCI Level 2 Merchant – ROC or SAQ and Quarterly External ASV Scans (varies based on card brand) 
• PCI Level 3 Merchant – SAQ and Quarterly External ASV Scans 

The Importance of ROC 

PCI DSS compliance reports are a necessary measure to help protect cardholder data from fraud. Specifically, the ROC provides key information about how a merchant gathers, processes, secures, and distributes cardholder data. There are several reasons why the Report on Compliance form is essential: 

• This report confirms that merchants that handle personally identifiable information (PII) like credit card numbers maintain PCI DSS requirements. 
• ROC helps organizations identify and address potential compliance and security risks. 
• Failure to submit this mandatory report can lead to hefty fines, legal action, and reputational damage to a business. 

Are You PCI Compliant? 

If you need to achieve PCI compliance, it is essential to look for a QSA qualified by the PCI Security Standards Council. Things to ask include who are their past clients and whether the QSA helped them maintain compliance. A reputable and experienced QSA will ensure merchants are compliant and identify areas to improve data security and compliance.  

TokenEx was founded by two former QSAs dedicated to building the most secure and flexible data protection solution. Our tokenization platform has helped clients worldwide achieve PCI compliance by storing their sensitive data on a secure cloud platform and offering seamless integrations for third-party partners. Thus, this allows companies to maintain compliance with their data protection requirements.