A guide to compliance frameworks for startups, with everything you need to know about the most common frameworks and how they apply.
Report on Compliance
You’ve likely heard of reports on compliance, but what are they, exactly? And more importantly, what do they mean for your business?
A report on compliance, or RoC, is a document that summarizes a merchant’s compliance with the Payment Card Industry Data Security Standard (PCI DSS). The report is compiled by a Qualified Security Assessor (QSA) and is used to assess a merchant’s PCI DSS compliance.
If you’re not familiar with PCI DSS, let’s recap. PCI DSS is a set of standards designed to protect credit card data. All businesses that process, store, or transmit credit card information must comply with PCI DSS.
What is a Report on Compliance (RoC)?
A PCI Report on Compliance (RoC) is an assessment that tests a company’s security controls that protect cardholder data. The report details whether your company meets all 12 requirements of the PCI DSS standard and any deficiencies discovered during the assessment.
Keep in mind, this form must be completed by all Level 1 Visa merchants.
How does PCI DSS require a Report on Compliance?
When it comes to the protection of customer data, the Payment Card Industry Data Security Standard (PCI DSS) is one of the most comprehensive and well-known frameworks. And as a merchant, it’s important to understand how PCI requires a report on compliance.
Basically, the PCI Security Standards Council (SSC) requires level two, three and four merchants to complete and submit a Self-Assessment Questionnaire (SAQ) on an annual basis. This questionnaire helps entities assess their own compliance posture with the PCI DSS.
On the other hand, level one merchants are required to submit a Report on Compliance (RoC) to their acquiring bank.
How do you file a Report on Compliance?
You may be wondering how you can actually file a Report on Compliance (RoC). The PCI Security Standards Council advises that all merchants should have a qualified security assessor (QSA) submit their report on compliance. This can be done through a web-based form or via an RcC form.
The merchant must provide the QSA with the necessary information and access to all systems, applications, and network components relevant to their PCI DSS assessment. Then, the QSA will create a formal RoC document that attests to the merchant’s current level of compliance with the PCI DSS requirements as of the time of assessment, including any compensating controls. The QSA will then submit the document, along with a summary demonstrating compliance with each control identified in the PCI DSS.
If everything was found to be in order during the assessment process, then no further action is required from the business – the RoC is proof that your company is compliant with the standard. Otherwise, if remediation activities are necessary for achieving and maintaining compliance, then they should be addressed as soon as possible.
When it comes to compliance, it’s crucial to have accurate and up-to-date information at your fingertips. Make sure to stay up to date on the latest changes to the security standard, so you can stay compliant and avoid penalties.