Pci Dss v4 0 Roc Aoc Merchants
Pci Dss v4 0 Roc Aoc Merchants
Pci Dss v4 0 Roc Aoc Merchants
Entity Name:
PCI DSS v4.0 Attestation of Compliance for Report on Compliance - Merchants March 2022
© 2006 - 2022 PCI Security Standards Council, LLC. All rights reserved. Page ii
Section 1 Assessment Information
Instructions for Submission
This Attestation of Compliance (AOC) must be completed as a declaration of the results of the merchant’s
assessment against the Payment Card Industry Data Security Standard (PCI DSS) Requirements and Testing
Procedures (“Assessment”). Complete all sections. The merchant is responsible for ensuring that each section is
completed by the relevant parties, as applicable. Contact the entity(ies) to which this AOC will be submitted for
reporting and submission procedures.
This AOC reflects the results documented in an associated Report on Compliance (ROC). Associated ROC sections
are noted in each AOC Part/Section below.
Capitalized terms used but not otherwise defined in this document have the meanings set forth in the PCI DSS
Report on Compliance Template.
PCI DSS v4.0 Attestation of Compliance for Report on Compliance - Merchants March 2022
© 2006 - 2022 PCI Security Standards Council, LLC. All rights reserved. Page 1
Part 1. Contact Information
ISA name(s):
Company name:
Company website:
Part 2a. Merchant Business Payment Channels (select all that apply):
(ROC Section 2.1)
Indicate all payment channels used by the business that are included in this Assessment.
Mail order / telephone order (MOTO)
E-Commerce
Card-present
PCI DSS v4.0 Attestation of Compliance for Report on Compliance - Merchants March 2022
© 2006 - 2022 PCI Security Standards Council, LLC. All rights reserved. Page 2
If yes, indicate which channel(s) is not included in
the Assessment and provide a brief explanation
about why the channel was excluded.
Note: If the merchant has a payment channel that is not covered by this Assessment, consult with the entity(ies) to
which this AOC will be submitted about validation for the other channels.
For each payment channel included in this Assessment as selected in Part 2a above, describe how the business
stores, processes, and/or transmits account data.
Indicate whether the environment includes segmentation to reduce the scope of the Yes No
Assessment.
Refer to “Segmentation” section of PCI DSS for guidance on segmentation.
List all types of physical locations/ facilities (for example, retail locations, corporate offices, data centers, call
centers, and mail rooms) in scope for the Assessment.
Total Number of
Locations
(How many locations of Location(s) of Facility
Facility Type this type are in scope) (city, country)
PCI DSS v4.0 Attestation of Compliance for Report on Compliance - Merchants March 2022
© 2006 - 2022 PCI Security Standards Council, LLC. All rights reserved. Page 3
Part 2e. PCI SSC Validated Products and Solutions
(ROC Section 3.3)
Does the entity use any item identified on any PCI SSC Lists of Validated Products and Solutions*?
Yes No
Provide the following information regarding each item the entity uses from PCI SSC's Lists of Validated Products
and Solutions:
Name of PCI SSC- Version of PCI SSC Standard to PCI SSC Listing
Expiry Date of
Validated Product or Product or which Product or Reference
Listing
Solution Solution Solution Was Validated Number
YYYY-MM-DD
YYYY-MM-DD
YYYY-MM-DD
YYYY-MM-DD
YYYY-MM-DD
YYYY-MM-DD
* For purposes of this document, ”Lists of Validated Products and Solutions” means the lists of validated products, solutions,
and/or components, appearing on the PCI SSC website (www.pcisecuritystandards.org) (for example, 3DS Software
Development Kits, Approved PTS Devices, Validated Payment Software, Payment Applications (PA-DSS), Point to Point
Encryption (P2PE) solutions, Software-Based PIN Entry on COTS (SPoC) solutions, and Contactless Payments on COTS
(CPoC) solutions).
Does the entity have relationships with one or more third-party service providers that:
• Store, process, or transmit account data on the entity’s behalf (for example, payment Yes No
gateways, payment processors, payment service providers (PSPs), and off-site
storage)
• Manage system components included in the scope of the Assessment (for example, via Yes No
network security control services, anti-malware services, security incident and event
management (SIEM), contact and call centers, web-hosting services, and IaaS, PaaS,
SaaS, and FaaS cloud providers)
• Could impact the security of the entity’s CDE (for example, vendors providing support Yes No
via remote access, and/or bespoke software developers).
PCI DSS v4.0 Attestation of Compliance for Report on Compliance - Merchants March 2022
© 2006 - 2022 PCI Security Standards Council, LLC. All rights reserved. Page 4
If Yes:
PCI DSS v4.0 Attestation of Compliance for Report on Compliance - Merchants March 2022
© 2006 - 2022 PCI Security Standards Council, LLC. All rights reserved. Page 5
Part 2g. Summary of Assessment
(ROC Section 1.8.1)
Indicate below all responses provided within each principal PCI DSS requirement.
Requirement Finding Select If Below Method(s)
More than one response may be selected for a given Was Used
PCI DSS requirement. Indicate all responses that apply.
Requirement
In In Place with Not Not Not In Customized Compensating
Place Remediation Applicable Tested Place Approach Controls
Requirement 1:
Requirement 2:
Requirement 3:
Requirement 4:
Requirement 5:
Requirement 6:
Requirement 7:
Requirement 8:
Requirement 9:
Requirement 10:
Requirement 11:
Requirement 12:
Appendix A2:
PCI DSS v4.0 Attestation of Compliance for Report on Compliance - Merchants March 2022
© 2006 - 2022 PCI Security Standards Council, LLC. All rights reserved. Page 6
Section 2 Report on Compliance
(ROC Sections 1.2 and 1.3.2)
Were any requirements in the ROC unable to be met due to a legal constraint? Yes No
PCI DSS v4.0 Attestation of Compliance for Report on Compliance - Merchants March 2022
© 2006 - 2022 PCI Security Standards Council, LLC. All rights reserved. Page 7
Section 3 Validation and Attestation Details
This AOC is based on results noted in the ROC dated (Date of Report as noted in the ROC YYYY-MM-DD).
Indicate below whether a full or partial PCI DSS assessment was completed:
Full Assessment – All requirements have been assessed and therefore no requirements were marked as Not
Tested in the ROC.
Partial Assessment – One or more requirements have not been assessed and were therefore marked as Not
Tested in the ROC. Any requirement not assessed is noted as Not Tested in Part 2g above.
Based on the results documented in the ROC noted above, each signatory identified in any of Parts 3b-3d, as
applicable, assert(s) the following compliance status for the entity identified in Part 2 of this document (select one):
Compliant: All sections of the PCI DSS ROC are complete, and all assessed requirements are
marked as being either 1) In Place, 2) In Place with Remediation, or 3) Not Applicable, resulting in an
overall COMPLIANT rating; thereby (Merchant Company Name) has demonstrated compliance with
all PCI DSS requirements except those noted as Not Tested above.
Non-Compliant: Not all sections of the PCI DSS ROC are complete, or one or more requirements are
marked as Not in Place, resulting in an overall NON-COMPLIANT rating; thereby (Merchant Company
Name) has not demonstrated compliance with PCI DSS requirements.
Target Date for Compliance: YYYY-MM-DD
An entity submitting this form with a Non-Compliant status may be required to complete the Action
Plan in Part 4 of this document. Confirm with the entity to which this AOC will be submitted before
completing Part 4.
Compliant but with Legal exception: One or more assessed requirements in the ROC are marked
as Not in Place due to a legal restriction that prevents the requirement from being met and all other
assessed requirements are marked as being either 1) In Place, 2) In Place with Remediation, or 3) Not
Applicable, resulting in an overall COMPLIANT BUT WITH LEGAL EXCEPTION rating; thereby
(Merchant Company Name) has demonstrated compliance with all PCI DSS requirements except
those noted as Not Tested above or as Not in Place due to a legal restriction.
This option requires additional review from the entity to which this AOC will be submitted.
If selected, complete the following:
Affected Requirement Details of how legal constraint prevents requirement from being met
PCI DSS v4.0 Attestation of Compliance for Report on Compliance - Merchants March 2022
© 2006 - 2022 PCI Security Standards Council, LLC. All rights reserved. Page 8
Part 3a. Merchant Acknowledgement
Signatory(s) confirms:
(Select all that apply)
The ROC was completed according to PCI DSS, Version 4.0 and was completed according to the
instructions therein.
All information within the above-referenced ROC and in this attestation fairly represents the results of the
Assessment in all material respects.
PCI DSS controls will be maintained at all times, as applicable to the entity’s environment.
If a QSA was involved or assisted with this QSA performed testing procedures.
Assessment, indicate the role performed:
QSA provided other assistance.
If selected, describe all role(s) performed:
If an ISA(s) was involved or assisted with this ISA(s) performed testing procedures.
Assessment, indicate the role performed:
ISA(s) provided other assistance.
If selected, describe all role(s) performed:
PCI DSS v4.0 Attestation of Compliance for Report on Compliance - Merchants March 2022
© 2006 - 2022 PCI Security Standards Council, LLC. All rights reserved. Page 9
Part 4. Action Plan for Non-Compliant Requirements
Only complete Part 4 upon request of the entity to which this AOC will be submitted, and only if the Assessment
has Non-Compliant results noted in Section 3.
If asked to complete this section, select the appropriate response for “Compliant to PCI DSS Requirements” for
each requirement below. For any “No” responses, include the date the entity expects to be compliant with the
requirement and provide a brief description of the actions being taken to meet the requirement.
Compliant to PCI
Remediation
DSS Requirements
PCI DSS Date and Actions
Description of Requirement (Select One)
Requirement (If “NO” selected for any
Requirement)
YES NO
PCI DSS v4.0 Attestation of Compliance for Report on Compliance - Merchants March 2022
© 2006 - 2022 PCI Security Standards Council, LLC. All rights reserved. Page 10