← PCI DSS 4.0.1 Compliance Guide
ROC Checklist

PCI DSS Report on Compliance (ROC) Checklist

A comprehensive guide to the ROC — the detailed assessment document required for Level 1 merchants and all service providers seeking PCI DSS validation.

Understand the ROC structure, evidence requirements, and common failure points so you can prepare for a successful on-site QSA assessment.

Prepare for Your ROC Assessment View Assessment Process

What Is a Report on Compliance (ROC)?

A Report on Compliance (ROC) is the formal assessment document produced by a Qualified Security Assessor (QSA) after conducting an on-site evaluation of an organisation's PCI DSS controls. The ROC provides detailed findings for each of the 322 PCI DSS requirements, including evidence reviewed, personnel interviewed, and the assessor's determination of compliance status.

Unlike a Self-Assessment Questionnaire (SAQ), which is completed by the organisation itself, a ROC requires independent validation by a PCI SSC-certified assessor. The ROC is the most rigorous form of PCI DSS compliance validation and is required for:

Level 1 merchants processing more than 6 million card transactions annually
All service providers that store, process, or transmit cardholder data
Any merchant escalated to Level 1 by their acquiring bank
Organisations that have experienced a cardholder data breach

ROC vs SAQ Comparison

Understanding the difference between a ROC and an SAQ is critical for determining your compliance path. Here is a side-by-side comparison:

FeatureROCSAQ
Who completes itQualified Security Assessor (QSA) or Internal Security Assessor (ISA)The merchant or service provider (self-assessment)
Assessor typePCI SSC-certified QSA from a QSAC firmInternal staff (QSA guidance optional but recommended)
On-site assessment requiredYes — QSA must conduct on-site evaluationNo — self-assessment, though QSA may assist
Documentation depthComprehensive — all 322 requirements with evidenceVaries by SAQ type — subset of requirements
Typical cost range$50,000 to $500,000+ depending on scope$5,000 to $50,000 with consultant assistance
Typical timeline4 to 8 months including preparation2 to 8 weeks depending on SAQ type

ROC Document Structure

The ROC follows a prescribed structure defined by the PCI SSC ROC Reporting Template. Understanding each section helps you prepare the right evidence and documentation in advance.

Executive Summary

High-level overview of the assessment scope, methodology, and overall compliance status. Includes the assessor's summary opinion and key findings.

Description of Scope

Detailed documentation of the cardholder data environment (CDE) including all in-scope systems, networks, applications, and third-party connections.

Network Diagrams & Data Flows

Visual representations of the network architecture showing CDE boundaries, segmentation controls, and cardholder data flow from ingress to storage and disposal.

Detailed Findings (Req. 1-12)

The core of the ROC — detailed findings for each of the 12 PCI DSS requirement families covering all 322 individual requirements with evidence references.

Compensating Controls Worksheets

Documentation for any requirements met through compensating controls rather than the stated requirement, including risk justification and control validation.

Appendices

Supporting materials including segmentation test results, ASV scan summaries, penetration test executive summaries, and the signed Attestation of Compliance (AOC).

Evidence Required for a ROC

QSAs will request a wide range of evidence during the assessment. Having these documents organised and current before the on-site visit significantly reduces assessment time and cost.

Policies and procedures for all 12 PCI DSS requirement families
Current network diagrams showing all connections to the CDE
Data flow diagrams documenting cardholder data from capture to disposal
System configuration files and hardening standards documentation
ASV scan reports for all four quarters of the assessment period
Penetration test results (internal and external) with remediation evidence
Log samples demonstrating daily log review processes
Security awareness training records for all personnel
Third-party service provider agreements and compliance acknowledgments
Interview notes and evidence from personnel with security responsibilities

Common ROC Failure Points

These are the most frequently cited reasons organisations fail to achieve a clean ROC on their first assessment attempt. Addressing these areas proactively can save months of remediation.

Incomplete Scope Documentation

Failing to identify and document all systems, networks, and third parties that interact with cardholder data. Scope gaps are the single most common reason ROC assessments stall or require rework.

Missing Compensating Control Worksheets

Using compensating controls without completing the formal Compensating Control Worksheet for each one. QSAs cannot accept compensating controls without documented risk analysis and justification.

Outdated Network Diagrams

Presenting network diagrams that do not reflect the current environment. Diagrams must show all connections to the CDE, including remote access paths, third-party connections, and wireless networks.

Insufficient Daily Log Review Evidence

Requirement 10.4.1 mandates daily review of security events. Many organisations cannot demonstrate consistent, documented daily log reviews for the entire assessment period.

Weak Access Control Documentation

Inadequate documentation of access provisioning, review, and revocation processes. Requirement 7 demands documented approval for all access to cardholder data based on business need.

Missing Third-Party Acknowledgments

Requirement 12.8 requires written agreements with service providers acknowledging their responsibility for cardholder data security. Missing or incomplete agreements are a frequent finding.

How GRCTrack Helps You Prepare for a ROC

Evidence Management with Version Control

Upload, organise, and version-control all assessment evidence in a centralised repository. Track document freshness and receive alerts when evidence approaches expiration.

Real-Time Control Status Tracking

Monitor the compliance status of all 322 requirements in real time. Dashboards show which controls are in place, which need attention, and overall assessment readiness.

Automated Evidence Collection Scheduling

Schedule recurring evidence collection tasks aligned with PCI DSS frequencies. Automated reminders ensure quarterly scans, daily log reviews, and annual policy reviews stay on track.

QSA Collaboration Portal

Provide your QSA with secure, role-based access to evidence, control documentation, and assessment progress. Eliminate email-based evidence exchange with a shared workspace.

Gap Analysis Dashboard

Identify gaps before your QSA does. The gap analysis dashboard highlights missing evidence, incomplete controls, and requirements that need compensating control documentation.

ROC-Aligned Reporting Templates

Generate reports structured to match the ROC Reporting Template format. Pre-populate assessor worksheets with evidence references and control descriptions to accelerate the assessment.

Frequently Asked Questions About the ROC

How long does a ROC assessment typically take?

A full ROC assessment typically takes 2 to 6 weeks of on-site QSA engagement, depending on the complexity of the cardholder data environment, the number of locations, and the organisation's readiness. However, the entire process from scoping through final report submission often spans 4 to 8 months when including preparation, remediation, and reporting phases.

What is the difference between a ROC and an AOC?

A Report on Compliance (ROC) is the detailed assessment document that contains the full findings, evidence references, and assessor notes for all 322 PCI DSS requirements. An Attestation of Compliance (AOC) is a summary document signed by both the merchant or service provider and the QSA, confirming the results of the assessment. The AOC is typically what is shared with acquiring banks and card brands, while the full ROC is retained for reference.

Can a merchant complete a ROC without a QSA?

No. A ROC must be completed by a PCI SSC-qualified QSA or an Internal Security Assessor (ISA) who has been trained and certified by the PCI SSC. Unlike SAQs, which are self-assessment instruments, ROCs require independent validation by a qualified assessor. ISAs can only assess their own organisation and must still be sponsored by a QSAC.

What happens if my organisation fails the ROC assessment?

If the QSA identifies requirements that are not in place, the organisation can remediate the findings and have the QSA re-validate those specific areas. The ROC is not submitted until all requirements are assessed as "in place" or have approved compensating controls. Organisations should plan for remediation time within their assessment timeline to avoid delays in compliance reporting.

How often does a ROC need to be completed?

PCI DSS requires annual revalidation. Level 1 merchants and service providers must complete a new ROC every 12 months. The assessment period covers the controls in place at the time of the assessment, and organisations must maintain compliance continuously between annual assessments. Quarterly ASV scans and ongoing monitoring are required throughout the year.

Related PCI DSS Resources

PCI DSS 4.0.1 Guide Assessment Process QSA Assessment Guide SAQ Types Explained Readiness Assessment

Prepare for Your ROC Assessment

Streamline evidence collection, track control status, and collaborate with your QSA in a single platform built for ROC readiness.

Start Your ROC Preparation View PCI DSS Framework