Skip Ribbon Commands
Skip to main content
Home > Services > Audit and Compliance > PCI (ROC) Issuance


PCI Assessment - Report on Compliance (RoC)


The Payment Card Industry - Data Security Standard (PCI-DSS) was created to encourage broad adoption of consistent data security controls. The Report on Compliance (RoC) is created during the on-site audit, providing details about the entity’s cardholder data environment (CDE), assessment methodology, and formally documents the your compliance status.


  • Validation of compliance with the PCI DSS
  • Identification of non-compliant areas and understanding of what actions are needed to comply with the PCI DSS
  • Proper 3rd party objective demonstration of PCI DSS compliance
  • Avoidance of damages often totaling millions of dollars that could result from a cardholder data compromise
  • Competitive edge through securing infrastructure
  • Safeguards against customers’ identity theft
  • A “Safe Harbor” claim requires the entity to be in full compliance with the PCI DSS prior to, and at the time of a breach


SecureState’s Audit & Compliance consultants are experts in understanding both the technical aspects as well as the business aspects of your organization. As a Qualified Security Assessor (QSA), Payment Application QSA and Approved Scanning Vendor (ASV), SecureState has the knowledge and expertise required to assist your organization with PCI compliance.

Did You Know?

  • Validation of compliance is required annually
  • 89% of merchants that have suffered a breach had not validated compliance with the PCI DSS
  • Compliance is required throughout the year
  • Validation requirements differ between each card brand
  • Card brands provide safe harbor from fines and additional assessments if an entity is found to be PCI compliant at the time of a breach or compromise
  • A typical PCI onsite assessment can take between 2- 6 weeks depending on the size and complexity of the organization
  • A PCI Onsite Assessment must be performed annually.

Our Approach and Methodology

Each card brand maintains their own Payment Card Industry (PCI) Data Security Standard (DSS) compliance and validation requirements based on the number of transactions stored, processed, or transmitted. Typically, Level 1 Merchants ( 6 million transactions annually) and Service Providers ( 300,000 transactions annually) are required to validate compliance with the PCI DSS through an onsite assessment. Beginning on June 20, 2012, MasterCard will also require that Level 2 Merchants (1-6 million annual transactions) either use staff that has completed PCI Internal Security Assessor (ISA) training to conduct a self-assessment or utilize a QSA to conduct the onsite assessment.

PCI DSS compliance requirements can typically be found in merchant agreements with acquiring banks and within contractual agreements for service providers. Federal and state governments have added their own compliance requirements, including the GLBA, FTC Act and state breach notification laws.

SecureState’s approach to a PCI Onsite Assessment follows a phased approach to make the most effective and efficient use of time. The goals are to:

  • Review documentation prior to the onsite visit to minimize disruptions
  • Keep you up-to-date on evolving PCI requirements, threats, and liabilities
  • Provide weekly status updates on remediation requirements
  • Avoid damages often totaling millions of dollars that could result from a cardholder data compromise
  • Partner with your organization to ensure full compliance and a secure cardholder data environment

The stages of our PCI Onsite Assessment, with limited descriptions, are as follows:

Pre-Onsite Visit:

  • Introduce engagement participants and define roles
  • Review assessment activities
  • Establish schedules

Documentation Review:

  • Collect, review, and assess security policies, procedures, and diagrams

On-site Review:

  • Review and confirm scoping limitations to the PCI cardholder environment.
  • Interview key personnel on compliance activities.
  • Sample cardholder locations, equipment, and devices associated with processing cardholder information, if necessary, per section below.


  • Document existing controls
  • Assess compliance of existing controls
  • Identify gaps and provide remediation advice
  • Deliver the RoC and AoC

What Makes Us Different


  • Provides comprehensive on-demand security expertise during the engagement and throughout the year
  • Supports its clients’ PCI programs with our proprietary “MyState Portal” and a team of credentialed PCI specialists
  • Maintains close relationships with our clients because we actually care about the outcome of the assessment
  • Provides consistent control requirement interpretations. Any ambiguous requirements are reviewed, researched, and agreed upon by all SecureState QSAs to ensure opinions do not differ from year to year or among the QSAs