Payment Card Industry

Data Security Standard

Attestation of Compliance for Report

on Compliance - Merchants
Version 4.0

Publication Date: March 2022

PCI DSS v4.0 Attestation of Compliance for Report on
Compliance - Merchants

Entity Name:

Assessment End Date:

Date of Report as noted in the Report on Compliance:

PCI DSS v4.0 Attestation of Compliance for Report on Compliance - Merchants March 2022
© 2006 - 2022 PCI Security Standards Council, LLC. All rights reserved. Page ii
Section 1 Assessment Information
Instructions for Submission
This Attestation of Compliance (AOC) must be completed as a declaration of the results of the merchant’s
assessment against the Payment Card Industry Data Security Standard (PCI DSS) Requirements and Testing
Procedures (“Assessment”). Complete all sections. The merchant is responsible for ensuring that each section is
completed by the relevant parties, as applicable. Contact the entity(ies) to which this AOC will be submitted for
reporting and submission procedures.
This AOC reflects the results documented in an associated Report on Compliance (ROC). Associated ROC sections
are noted in each AOC Part/Section below.
Capitalized terms used but not otherwise defined in this document have the meanings set forth in the PCI DSS
Report on Compliance Template.

PCI DSS v4.0 Attestation of Compliance for Report on Compliance - Merchants March 2022
© 2006 - 2022 PCI Security Standards Council, LLC. All rights reserved. Page 1
 Part 1. Contact Information

Part 1a. Assessed Entity

(ROC Section 1.1)
Company name:

DBA (doing business as):

Company mailing address:

Company main website:

Company contact name:

Company contact title:

Contact phone number:

Contact e-mail address:

Part 1b. Assessor

(ROC Section 1.1)
Provide the following information for all assessors involved in the Assessment. If there was no assessor for a given
assessor type, enter Not Applicable.

PCI SSC Internal Security Assessor(s)

ISA name(s):

Qualified Security Assessor

Company name:

Company mailing address:

Company website:

Lead Assessor name:

Assessor phone number:

Assessor e-mail address:

Assessor certificate number:

Part 2. Executive Summary

Part 2a. Merchant Business Payment Channels (select all that apply):
(ROC Section 2.1)

Indicate all payment channels used by the business that are included in this Assessment.
Mail order / telephone order (MOTO)
E-Commerce
Card-present

Are any payment channels not included in this Yes No

Assessment?

PCI DSS v4.0 Attestation of Compliance for Report on Compliance - Merchants March 2022
© 2006 - 2022 PCI Security Standards Council, LLC. All rights reserved. Page 2
 If yes, indicate which channel(s) is not included in
the Assessment and provide a brief explanation
about why the channel was excluded.

Note: If the merchant has a payment channel that is not covered by this Assessment, consult with the entity(ies) to
which this AOC will be submitted about validation for the other channels.

Part 2b. Description of Role with Payment Cards

(ROC Section 2.1)

For each payment channel included in this Assessment as selected in Part 2a above, describe how the business
stores, processes, and/or transmits account data.

Channel How Business Stores, Processes, and/or Transmits Account Data

Part 2c. Description of Payment Card Environment

Provide a high-level description of the environment covered by

this Assessment.
For example:
• Connections into and out of the cardholder data
environment (CDE).
• Critical system components within the CDE, such as POI
devices, databases, web servers, etc., and any other
necessary payment components, as applicable.
• System components that could impact the security of
account data.

Indicate whether the environment includes segmentation to reduce the scope of the Yes No
Assessment.
Refer to “Segmentation” section of PCI DSS for guidance on segmentation.

Part 2d. In-Scope Locations/Facilities

(ROC Section 4.6)

List all types of physical locations/ facilities (for example, retail locations, corporate offices, data centers, call
centers, and mail rooms) in scope for the Assessment.

Total Number of
Locations
(How many locations of Location(s) of Facility
Facility Type this type are in scope) (city, country)

Example: Retail locations 3 Boston, MA, USA

PCI DSS v4.0 Attestation of Compliance for Report on Compliance - Merchants March 2022
© 2006 - 2022 PCI Security Standards Council, LLC. All rights reserved. Page 3
 Part 2e. PCI SSC Validated Products and Solutions
(ROC Section 3.3)

Does the entity use any item identified on any PCI SSC Lists of Validated Products and Solutions*?
Yes No

Provide the following information regarding each item the entity uses from PCI SSC's Lists of Validated Products
and Solutions:

Name of PCI SSC- Version of PCI SSC Standard to PCI SSC Listing
Expiry Date of
Validated Product or Product or which Product or Reference
Listing
Solution Solution Solution Was Validated Number

YYYY-MM-DD

YYYY-MM-DD

YYYY-MM-DD

YYYY-MM-DD

YYYY-MM-DD

YYYY-MM-DD
* For purposes of this document, ”Lists of Validated Products and Solutions” means the lists of validated products, solutions,
and/or components, appearing on the PCI SSC website (www.pcisecuritystandards.org) (for example, 3DS Software
Development Kits, Approved PTS Devices, Validated Payment Software, Payment Applications (PA-DSS), Point to Point
Encryption (P2PE) solutions, Software-Based PIN Entry on COTS (SPoC) solutions, and Contactless Payments on COTS
(CPoC) solutions).

Part 2f. Third-Party Service Providers

(ROC Section 4.4)

Does the entity have relationships with one or more third-party service providers that:

• Store, process, or transmit account data on the entity’s behalf (for example, payment Yes No
gateways, payment processors, payment service providers (PSPs), and off-site
storage)

• Manage system components included in the scope of the Assessment (for example, via Yes No
network security control services, anti-malware services, security incident and event
management (SIEM), contact and call centers, web-hosting services, and IaaS, PaaS,
SaaS, and FaaS cloud providers)

• Could impact the security of the entity’s CDE (for example, vendors providing support Yes No
via remote access, and/or bespoke software developers).

PCI DSS v4.0 Attestation of Compliance for Report on Compliance - Merchants March 2022
© 2006 - 2022 PCI Security Standards Council, LLC. All rights reserved. Page 4
 If Yes:

Name of Service Provider: Description of Service(s) Provided:

Note: Requirement 12.8 applies to all entities in this list.

PCI DSS v4.0 Attestation of Compliance for Report on Compliance - Merchants March 2022
© 2006 - 2022 PCI Security Standards Council, LLC. All rights reserved. Page 5
 Part 2g. Summary of Assessment
(ROC Section 1.8.1)

Indicate below all responses provided within each principal PCI DSS requirement.
Requirement Finding Select If Below Method(s)
More than one response may be selected for a given Was Used
PCI DSS requirement. Indicate all responses that apply.
Requirement
In In Place with Not Not Not In Customized Compensating
Place Remediation Applicable Tested Place Approach Controls

Requirement 1:

Requirement 2:

Requirement 3:

Requirement 4:

Requirement 5:

Requirement 6:

Requirement 7:

Requirement 8:

Requirement 9:

Requirement 10:

Requirement 11:

Requirement 12:

Appendix A2:

PCI DSS v4.0 Attestation of Compliance for Report on Compliance - Merchants March 2022
© 2006 - 2022 PCI Security Standards Council, LLC. All rights reserved. Page 6
Section 2 Report on Compliance
(ROC Sections 1.2 and 1.3.2)

Date Assessment began: YYYY-MM-DD

Note: This is the first date that evidence was gathered, or observations were made.

Date Assessment ended: YYYY-MM-DD

Note: This is the last date that evidence was gathered, or observations were made.

Were any requirements in the ROC unable to be met due to a legal constraint? Yes No

Were any testing activities performed remotely? Yes No

If yes, for each testing activity below, indicate whether remote assessment activities were
performed:
• Examine documentation Yes No
• Interview personnel Yes No
• Examine/observe live data Yes No
• Observe process being performed Yes No
• Observe physical environment Yes No
• Interactive testing Yes No
• Other:

PCI DSS v4.0 Attestation of Compliance for Report on Compliance - Merchants March 2022
© 2006 - 2022 PCI Security Standards Council, LLC. All rights reserved. Page 7
Section 3 Validation and Attestation Details

Part 3. PCI DSS Validation

(ROC Section 1.7)

This AOC is based on results noted in the ROC dated (Date of Report as noted in the ROC YYYY-MM-DD).
Indicate below whether a full or partial PCI DSS assessment was completed:
Full Assessment – All requirements have been assessed and therefore no requirements were marked as Not
Tested in the ROC.
Partial Assessment – One or more requirements have not been assessed and were therefore marked as Not
Tested in the ROC. Any requirement not assessed is noted as Not Tested in Part 2g above.

Based on the results documented in the ROC noted above, each signatory identified in any of Parts 3b-3d, as
applicable, assert(s) the following compliance status for the entity identified in Part 2 of this document (select one):

Compliant: All sections of the PCI DSS ROC are complete, and all assessed requirements are
marked as being either 1) In Place, 2) In Place with Remediation, or 3) Not Applicable, resulting in an
overall COMPLIANT rating; thereby (Merchant Company Name) has demonstrated compliance with
all PCI DSS requirements except those noted as Not Tested above.

Non-Compliant: Not all sections of the PCI DSS ROC are complete, or one or more requirements are
marked as Not in Place, resulting in an overall NON-COMPLIANT rating; thereby (Merchant Company
Name) has not demonstrated compliance with PCI DSS requirements.
Target Date for Compliance: YYYY-MM-DD
An entity submitting this form with a Non-Compliant status may be required to complete the Action
Plan in Part 4 of this document. Confirm with the entity to which this AOC will be submitted before
completing Part 4.

Compliant but with Legal exception: One or more assessed requirements in the ROC are marked
as Not in Place due to a legal restriction that prevents the requirement from being met and all other
assessed requirements are marked as being either 1) In Place, 2) In Place with Remediation, or 3) Not
Applicable, resulting in an overall COMPLIANT BUT WITH LEGAL EXCEPTION rating; thereby
(Merchant Company Name) has demonstrated compliance with all PCI DSS requirements except
those noted as Not Tested above or as Not in Place due to a legal restriction.
This option requires additional review from the entity to which this AOC will be submitted.
If selected, complete the following:

Affected Requirement Details of how legal constraint prevents requirement from being met

PCI DSS v4.0 Attestation of Compliance for Report on Compliance - Merchants March 2022
© 2006 - 2022 PCI Security Standards Council, LLC. All rights reserved. Page 8
 Part 3a. Merchant Acknowledgement

Signatory(s) confirms:
(Select all that apply)

The ROC was completed according to PCI DSS, Version 4.0 and was completed according to the
instructions therein.

All information within the above-referenced ROC and in this attestation fairly represents the results of the
Assessment in all material respects.

PCI DSS controls will be maintained at all times, as applicable to the entity’s environment.

Part 3b. Merchant Attestation

Signature of Merchant Executive Officer  Date: YYYY-MM-DD

Merchant Executive Officer Name: Title:

Part 3c. Qualified Security Assessor (QSA) Acknowledgement

If a QSA was involved or assisted with this QSA performed testing procedures.
Assessment, indicate the role performed:
QSA provided other assistance.
If selected, describe all role(s) performed:

Signature of Lead QSA  Date: YYYY-MM-DD

Lead QSA Name:

Signature of Duly Authorized Officer of QSA Company  Date: YYYY-MM-DD

Duly Authorized Officer Name: QSA Company:

Part 3d. PCI SSC Internal Security Assessor (ISA) Involvement

If an ISA(s) was involved or assisted with this ISA(s) performed testing procedures.
Assessment, indicate the role performed:
ISA(s) provided other assistance.
If selected, describe all role(s) performed:

PCI DSS v4.0 Attestation of Compliance for Report on Compliance - Merchants March 2022
© 2006 - 2022 PCI Security Standards Council, LLC. All rights reserved. Page 9
 Part 4. Action Plan for Non-Compliant Requirements
Only complete Part 4 upon request of the entity to which this AOC will be submitted, and only if the Assessment
has Non-Compliant results noted in Section 3.
If asked to complete this section, select the appropriate response for “Compliant to PCI DSS Requirements” for
each requirement below. For any “No” responses, include the date the entity expects to be compliant with the
requirement and provide a brief description of the actions being taken to meet the requirement.

Compliant to PCI
Remediation
DSS Requirements
PCI DSS Date and Actions
Description of Requirement (Select One)
Requirement (If “NO” selected for any
Requirement)
YES NO

Install and maintain network security

1
controls

Apply secure configurations to all system

2
components

3 Protect stored account data

Protect cardholder data with strong

4 cryptography during transmission over
open, public networks

Protect all systems and networks from

5
malicious software

Develop and maintain secure systems

6
and software

Restrict access to system components

7 and cardholder data by business need to
know

Identify users and authenticate access to

8
system components

Restrict physical access to cardholder

9
data

Log and monitor all access to system

10
components and cardholder data

Test security systems and networks

11
regularly

Support information security with

12
organizational policies and programs

Additional PCI DSS Requirements for

Appendix A2 Entities using SSL/early TLS for Card-
Present POS POI Terminal Connections

PCI DSS v4.0 Attestation of Compliance for Report on Compliance - Merchants March 2022
© 2006 - 2022 PCI Security Standards Council, LLC. All rights reserved. Page 10