RoC vs AOC vs SAQ: PCI Documents Explained

The three documents at a glance

At a high level, the three documents serve different purposes. The Self-Assessment Questionnaire (SAQ) is a self-completed attestation used by organizations that validate themselves. The Report on Compliance (RoC) is a detailed assessment produced by a Qualified Security Assessor for organizations that require a formal audit. The Attestation of Compliance (AOC) is the summary declaration of the result, produced in both cases.

The simplest way to hold them in mind: the SAQ and the RoC are two alternative ways of demonstrating compliance — one self-assessed, one independently assessed — while the AOC is the conclusion that accompanies either. You will always produce an AOC; whether you produce an SAQ or a RoC depends on your level.

What the SAQ is

The Self-Assessment Questionnaire is a validation tool for organizations permitted to assess their own compliance, typically smaller merchants and lower-tier service providers. It consists of a series of questions covering the PCI DSS requirements relevant to the organization's payment scenario, which the organization answers to confirm it meets them.

There are several SAQ types, each tailored to a specific way of accepting payments — from fully outsourced e-commerce to card-present terminals to environments that handle card data directly. Choosing the correct SAQ type is crucial, because each contains only the requirements relevant to its scenario, and the right one keeps the assessment focused on what genuinely applies to you.

What the RoC is

The Report on Compliance is a comprehensive assessment of an organization's compliance, performed by a Qualified Security Assessor (or in some cases a qualified internal assessor). Unlike the self-completed SAQ, the RoC involves an independent expert examining the environment, testing controls, sampling evidence, and documenting in detail how each requirement is met.

The RoC is required for the largest merchants and major service providers, where the stakes justify a thorough, independent examination. It is the most rigorous form of validation, producing a detailed document that records the assessor's testing and conclusions for every applicable requirement. Producing a RoC is a substantial undertaking compared with completing an SAQ.

What the AOC is

The Attestation of Compliance is the formal declaration that summarizes the outcome of a validation, whether that validation was an SAQ or a RoC. It states what was assessed, the validation method used, and the result. In effect, it is the certificate-like summary that the organization, and where applicable the assessor, signs to declare the compliance status.

The AOC is the document that travels. While the full SAQ or RoC contains the detail, the AOC is the concise proof that acquiring banks collect and that partners and customers request during due diligence. Because it is the portable evidence of compliance, the AOC is often the document people most frequently handle even though it is the shortest of the three.

How the three relate

The relationship is straightforward once the roles are clear. An organization validates either by completing an SAQ (self-assessment) or by undergoing a RoC (independent assessment). Whichever path it takes, the validation concludes with an AOC summarizing the result. So the SAQ and RoC are mutually exclusive alternatives, and the AOC accompanies whichever one was used.

Put differently, the SAQ and RoC are the work; the AOC is the receipt. You will never produce both an SAQ and a RoC for the same validation, but you will always produce an AOC. Keeping this structure in mind dissolves most of the confusion these three acronyms cause.

Who needs which

Which documents you produce depends on your level. Level 1 merchants and major service providers undergo a RoC and produce the accompanying AOC. Smaller merchants and lower-tier service providers complete the appropriate SAQ and produce the accompanying AOC. In both cases the AOC is the shared output; the difference is whether the underlying assessment is self-completed or independently performed.

Your acquiring bank determines and confirms which path applies to you, based on your transaction volume and history. Because a prior breach can elevate a merchant to the RoC path regardless of size, the determination is not always obvious from volume alone, which is why confirming with your acquirer is the reliable approach.

Why the distinctions matter in practice

These distinctions are not academic; they affect how you prepare and what others expect from you. Knowing whether you need an SAQ or a RoC tells you whether you are self-assessing or engaging a QSA, which dramatically changes the effort, cost, and timeline. Knowing that the AOC is the portable summary tells you which document to keep handy for partners and which to produce when asked for proof of compliance.

Confusing the documents leads to real mistakes: preparing the wrong validation, sending a partner the wrong artifact, or assuming an AOC alone substitutes for the underlying assessment. Clarity about each document's role ensures you prepare correctly, respond to requests appropriately, and avoid the delays that confusion causes.

This clarity matters most under pressure. When a major customer suddenly asks for your AOC mid-deal, or your acquirer requests evidence of validation, knowing exactly which document to provide and how it relates to the underlying assessment lets you respond immediately and credibly, rather than scrambling to work out what is being asked for.

Keeping your documents current

PCI DSS validation is annual, which means these documents have a shelf life. An SAQ or RoC, and the AOC that accompanies it, reflect a point-in-time validation and are generally treated as current for about a year. Letting them lapse leaves you unable to demonstrate compliance when a partner asks, which can stall business even if your controls are still sound.

Maintaining current documents means planning your re-validation before the previous one expires, so there is no gap. Organizations that treat validation as an annual cycle, with the next assessment scheduled well in advance, always have fresh documents ready — while those that treat it as a one-off scramble to reproduce them under pressure.

How ISpectra helps with your PCI documents

Producing the right documents — the correct SAQ or a clean RoC, plus an accurate AOC — is the tangible output of pci dss certification, and ISpectra Technologies makes that output straightforward. ISpectra helps you determine which documents you need, select and complete the right SAQ, manage the RoC process with a QSA, and produce an AOC your acquirer and partners will accept without question.

With free vulnerability assessment and penetration testing to support the underlying validation and a 10% discount when PCI DSS is bundled with SOC 2 or ISO 27001, ISpectra ensures your PCI paperwork is correct, current, and ready whenever a partner or bank asks for proof. With the three documents clearly understood and kept current, what once felt like an alphabet soup of acronyms becomes a simple, repeatable part of how you do business.