PCI DSS QSA Audit and Report on Compliance (RoC)

When all PCI DSS control gaps have been identified, and remediation activities have been completed, the PCI DSS QSA Audit represents the final step for a Level 1 merchant before achieving PCI DSS compliance.

Our team delivers a full PCI DSS QSA led audit and Report on Compliance (RoC) against the current version of the Standard. It will also provide a completed Attestation of Compliance (AoC) form and allow for submission of the required paperwork to the party requesting compliance from the organisation.

With strong technical backgrounds’ and an understanding of compensating controls, our QSA’s work to accurately understand your infrastructure and scope, spending the necessary time onsite, to comprehensively assess your PCI DSS Controls. As part of our structured audit service, we provide you not only with assessment of compliance, but also risk-based guidance to improve your overall security posture.

Fast Track Your PCI DSS Compliance

Request an initial PCI DSS Compliance Program consultation.



Our PCI DSS QSA will gather documentation for the audit, prior to conducting a number of on-site interviews with the relevant resource. The resource required will be established prior to the onsite audit. During the interviews our QSA will review each of the PCI DSS requirements and sub requirements establishing if the requirement is currently complied with.
Once the onsite audit is completed we will communicate any outstanding evidence or remediation requirements with you, so these can be addressed. During this time, our QSA will be available to receive updates and answer any queries regarding evidence and remediation items, until completion.

In the meantime, our QSA will begin the preparation of the RoC. With completion of all the remediation items, we will then submit the completed RoC to our internal QA process, before preparing the AoC ready for the formal submission, certifying your organisation as compliant.

Key Benefits

  • The ability to demonstrate compliance with the latest version of the PCI DSS
  • Full remediation support as part of the audit process.
  • Prepare and submit the required Attestation of Compliance (AoC)
  • Provides a trusted partner to assist in your compliance audit journey

Our Methodology

Stage 1: Pre- Assessment Phase (Off Site)

  • Meeting with key staff members
  • Provide walkthrough of audit engagement activities and agree resources for the audit interviews and evidence gathering
  • Identify and review the current documentation in place

Stage 2: On-site QSA PCI DSS Audit

  • Interviews with the appropriate resources to audit the 12 PCI DSS control areas requirements and gather supporting evidence.
  • Presentation of audit findings and strategic recommendations.
  • Preparation of the Report on Compliance (RoC)

Stage 3: Remediation support

  • Document any outstanding evidence and/or remediation and work with the appropriate resources to address.
  • Manage and track remediation items to completion
  • Validate the implementation of remediation items prior to publication of the RoC to ensure a compliant RoC can be issued.

Stage 4: Reporting Phase

  • Gather final elements of evidence required for the RoC and complete
  • Perform Quality Assurance (QA) of the RoC and complete any updates appropriately
  • Complete the AoC and submit to the credit card brands, and the acquiring bank


  • Total:                   Agreed during initial consultation
  • Onsite:                As Above
  • Remote:             As Above


PCI DSS Audit Remediation and Supplementary Evidence Plan – this will document the additional evidence , remediation activities and compensating controls required to complete the RoC and AoC, and pass the PCI DSS Audit

Report on Compliance Quality Assurance (QA) ProcessAs part of our PCI DSS Report on Compliance process and as mandated by the PCI council, we will undertake a detailed Quality Assurance review of any RoC’s that we produce. This process involves an internal peer review of the RoC by another QSA. This will ensure that all required areas have been covered, that the RoC is fit for purpose, and meets the standard’s requirements, this is achieved by using the PCI DSS scoring matrix from the PCI SSC.

Completed PCI DSS Report on Compliance (RoC) – The Report on Compliance is produced during onsite PCI DSS assessments as part of an entity’s validation process. The RoC provides details about the entity’s environment, assessment methodology, and documents the entity’s compliance status for each PCI DSS control requirement.

Completed PCI DSS Attestation of Compliance (AoC) The Attestation of Compliance is a declaration of an entity’s compliance status with the PCI DSS requirements, and security assessment procedures. This document is used to demonstrate the compliance status of an entity to credit card brands, and the acquiring bank

Optional Related services