Demonstrating your compliance with the PCI DSS (Payment Card Industry Data Security Standard) – known as validation – can be the most time-consuming aspect of a compliance project. This is because the route you must follow isn’t a matter of choice but is determined by how your business processes card payments.
There are two main validation routes: the ROC (Report on Compliance) and the SAQ (Self-Assessment Questionnaire). Which applies to you depends primarily on your merchant or service provider level, which is itself determined by your annual transaction volumes and, in some cases, your payment environment.
Merchant and service provider levels at a glance
Merchants and service providers are divided into different levels, depending on the number of transactions they process, among other factors. You can find an overview of these levels in Do You Need to Comply with the PCI DSS? A Practical Guide for Businesses.
Your acquiring bank or payment brand will confirm which level applies to you. Once you’ve determined that, the following validation routes will apply:
- Level 1 merchants must undergo an annual on-site assessment by a QSA (Qualified Security Assessor), resulting in a ROC (Report on Compliance). This is a formal, independent audit covering all 12 requirements of the PCI DSS.
- Level 2, 3 and 4 merchants are generally eligible to self-assess using an SAQ (Self-Assessment Questionnaire) – a structured set of yes/no questions mirroring the PCI DSS requirements relevant to your specific environment.
- Level 1 service providers must submit an ROC completed by a PCI QSA organisation or an ISA (Internal Security Assessor), and must undergo quarterly ASV scanning.
- Level 2 service providers must submit an ROC completed by a PCI QSA organisation or an ISA (Internal Security Assessor), or an SAQ signed by a company officer, and must undergo quarterly ASV scanning.
The ROC (Report on Compliance) and what it involves
An ROC is the most rigorous form of PCI DSS validation. It is produced by a PCI QSA following an independent, evidence-based assessment of your entire cardholder data environment – not just a selection of controls, but all 12 requirements of the Standard and their associated sub-requirements.
In practice, this means the QSA will examine your network architecture, system configurations, access controls, cryptographic practices, monitoring and logging, and your policies and procedures. They will interview staff, observe processes and test controls directly. Documentary evidence is required at every stage – assertions alone are not sufficient.
The output is a formal report that your acquiring bank submits to the relevant card brands. A ROC cannot be completed internally by your own team; it must be conducted by an approved QSA organisation listed on the PCI SSC (Payment Card Industry Security Standards Council) website.
Although ROC assessments are most commonly associated with large organisations, they can apply to smaller businesses too – particularly those with complex payment environments, those that have suffered a breach, or those that a card brand has specifically required to undergo a full assessment. Transaction volume sets the floor, not the ceiling.
SAQs (Self-Assessment Questionnaires) and how to choose the right one
For organisations at merchant Levels 2, 3 and 4, self-assessment via an SAQ is the standard validation route. The SAQ is not a simplified alternative to the PCI DSS – it covers the same requirements, filtered to those relevant to your specific payment model.
There are ten SAQs types, and which one applies to your organisation depends on how you actually accept and handle card payments.
Choosing the wrong SAQ – typically a simpler one you’re not actually eligible for – is one of the most common compliance mistakes. Eligibility depends on your technical environment, not your preference.
To learn more about PCI SAQs and how to choose the right one, read our practical guide, Choosing the Right PCI DSS SAQ, by Sujith Parambath, our head of PCI consulting services.
Alternatively, follow the links below to jump to a specific SAQ in that article:
If you’re uncertain which validation route applies to you – or whether your current approach is actually correct – that uncertainty is worth resolving before your next validation cycle.