Of all the documents in PCI DSS, the Attestation of Compliance, or AOC, is the one your partners and customers are most likely to ask to see. While the Self-Assessment Questionnaire and the Report on Compliance contain the detailed work, the AOC is the concise, formal summary that declares the outcome — the portable proof of compliance that travels between organizations during due diligence and contract negotiations.
This guide explains what an AOC is, how it relates to the SAQ and RoC, what it contains, who completes and signs it, how it is used in practice, and why keeping it current matters so much. Because the AOC is the document people handle most often, understanding it clearly is essential to representing your compliance accurately and responding smoothly when proof is requested.
What an Attestation of Compliance is
The Attestation of Compliance is a formal declaration summarizing the result of a PCI DSS validation. It states what was assessed, which validation method was used, and the outcome — essentially confirming, in a concise and standardized form, that the organization has validated its compliance with the standard. It is the document that accompanies either a Self-Assessment Questionnaire or a Report on Compliance.
Think of the AOC as the cover declaration that sits on top of the detailed assessment. The full SAQ or RoC contains the granular evidence of how each requirement was met, but the AOC distills that into a signed statement of the conclusion. This is why, despite being the shortest of the core PCI documents, it is often the most frequently exchanged, because it conveys the essential result without exposing the underlying detail.
How the AOC relates to the SAQ and RoC
The AOC does not stand alone; it is the companion to a validation. When an organization completes a Self-Assessment Questionnaire, it produces an AOC that summarizes the result of that self-assessment. When an organization undergoes a Report on Compliance with a Qualified Security Assessor, it produces an AOC summarizing the result of that independent assessment. In both cases, the AOC is the declared outcome.
This relationship is the source of much confusion, because people sometimes treat the AOC as if it were the whole story. In reality, the AOC is meaningful precisely because it rests on an SAQ or RoC. A partner who receives your AOC is trusting that the detailed assessment behind it was genuinely performed, which is why the integrity of the underlying validation matters as much as the attestation itself.
Free resource
PCI DSS Compliance Checklist
Download our practical resource to fast-track your PCI DSS compliance.
What an AOC contains
An AOC is a structured document with several standard sections. It identifies the organization and the assessed entity, describes the scope of the assessment including the cardholder data environment, and records the validation method used — which SAQ type, or that a RoC was performed. It states the assessment result and the date, and includes contact and assessor information where applicable.
The AOC also captures key facts about how the organization handles card data and any services it provides, so that a reader can understand what the attestation actually covers. Because scope is so central to PCI DSS, the AOC's description of what was and was not assessed is one of its most important elements: a clean AOC that covers a narrow scope means something quite different from one covering a broad environment, and readers should attend to that detail.
Who completes and signs the AOC
For a self-assessment, the organization completes and signs its own AOC, with a senior officer attesting to the accuracy of the validation. For a Report on Compliance, both the organization and the Qualified Security Assessor are involved, with the assessor attesting to the assessment they performed and the organization confirming its responsibilities. The signature is significant: it is a formal representation that the stated compliance is genuine.
Because signing an AOC is an official attestation, it should never be treated casually. The person signing is vouching for the accuracy of the validation, and a false or careless attestation carries real consequences. This is part of why a well-founded AOC depends on a genuinely thorough underlying assessment — the signature is only as trustworthy as the work behind it.
How the AOC is used in practice
In day-to-day business, the AOC is the document that proves your compliance to others. Your acquiring bank collects it as evidence that you have validated. Enterprise customers and partners request it during vendor due diligence to confirm that a supplier handling card data is compliant before signing a contract. Service providers routinely provide their AOC to the merchants who rely on them.
This makes the AOC a commercial document as much as a compliance one. A current, clean AOC can smooth a sales process and reassure a cautious buyer, while a missing or expired one can stall a deal regardless of how good your actual security is. Keeping your AOC readily available and up to date is therefore part of supporting your business, not just satisfying your bank.
Why keeping the AOC current matters
PCI DSS validation is performed annually, so an AOC reflects a point-in-time assessment and is generally treated as current for about a year. Once it lapses, you can no longer credibly demonstrate compliance, even if your controls remain strong. A partner asking for proof will see an expired attestation, which undermines confidence and can hold up business.
Keeping the AOC current means planning your re-validation before the previous one expires, so there is never a gap in your ability to prove compliance. Organizations that treat validation as a continuous annual cycle always have a fresh AOC ready, while those that let it lapse find themselves explaining the gap at exactly the wrong moment. The small discipline of timely re-validation avoids this entirely.
Service provider AOCs and your scope
The AOCs of your service providers matter to your own compliance. When you outsource part of your payment handling to a compliant provider, you rely on that provider's AOC to keep the outsourced portion out of your own scope. Collecting and reviewing your providers' AOCs is therefore a real compliance task, not a formality, because it underpins the scope reductions you claim.
This means you should track the AOCs of the providers in your payment chain, confirm they are current, and understand exactly what each one covers. A provider whose AOC has lapsed, or whose attestation does not cover the service you actually use, can quietly undermine your scope assumptions. Managing third-party AOCs is a part of compliance that is easy to overlook but important to get right.
Common AOC mistakes
Several mistakes recur with AOCs. Letting the AOC expire and being unable to prove compliance when asked is the most common and damaging. Misrepresenting scope — presenting an AOC that covers a narrow validation as if it covered everything — can mislead partners and create liability. Failing to collect service providers' AOCs leaves scope-reduction claims unsupported. And treating the AOC as a standalone document, disconnected from a real assessment, hollows out its meaning.
Avoiding these mistakes comes down to discipline: validate on time, represent your scope honestly, manage your providers' attestations, and ensure every AOC rests on a genuine assessment. Handled this way, the AOC becomes a reliable, trusted instrument that smooths your business rather than a source of confusion or risk.
How ISpectra helps with your AOC
Producing an accurate AOC that rests on a sound validation, and keeping it current year after year, is the visible result of pci dss certification, and ISpectra Technologies makes it dependable. ISpectra manages the underlying SAQ or RoC, ensures the AOC accurately reflects your scope and result, and helps you maintain an annual cycle so your attestation never lapses when a partner asks for it.
With free vulnerability assessment and penetration testing supporting the validation behind the AOC and a 10% discount when PCI DSS is bundled with SOC 2 or ISO 27001, ISpectra ensures your attestation is always genuine, current, and ready — turning a document partners scrutinize into a quiet competitive advantage.
Free consultation
Need help with PCI DSS?
Talk to our certified compliance team — we’ve supported 200+ audits.