PCI Report on Compliance (RoC)

All organizations that store, process or transmit credit card data must comply with relevant PCI data security standards.

The RoC validates compliance efforts on an annual basis. SecureState's Qualified Security Assessors (QSAs) will assess your organization to validate full compliance with the PCI DSS.


Payment Card Industry Data Security Standard (PCI-DSS) is a contractual requirement for organizations that wish to accept payment by credit card. By complying with PCI requirements, merchants and service providers not only meet their obligations, establish a baseline for security that has several benefits. PCI compliant companies gain competitive advantage through securing infrastructure while increasing their overall credibility. Maintaining PCI compliance helps protect customers by safeguarding their credit card information. PCI compliance facilitates customer confidence, knowing their credit card information is protected. Finally, for any organization to claim “Safe Harbor,” they must be in full compliance with the PCI DSS at the time of a breach, as demonstrated during a forensic investigation, and have validated full compliance prior to the compromise.


SecureState is licensed in both the United States of America as well as Canada to provide comprehensive PCI assessments. We support our clients’ PCI programs through a combination of web-based resources including our proprietary MyState Portal and a team of credentialed PCI specialists. SecureState has provided PCI training at ISACA events, leading payment vendor conferences, as well as independent seminars.

In addition, SecureState can support you with comprehensive, PCI support services throughout the year. Through a combination of online resources and on-demand consulting from SecureState’s team of executive analysts, you receive the support you need to achieve and maintain compliance.

Approach and Methodology

Prior to coming on site, SecureState will introduce all of the participants in the engagement, defining each person's roles and responsibilities, and reviewing the high level activities for the engagement. We will also establish the time frame for onsite activities, and set up a collaborative portal.

As part of the PCI assessment, SecureState collects and reviews all required documentation related to PCI compliance including information security policies and procedures, incident response plan (IRP), network and system configuration standards and reports, periodic testing results (e.g., ASV scans, penetration testing, internal vulnerability scans) and other associated evidence prior to the required on-site portion of the engagement. SecureState will document and align PCI requirements with collected client documentation, identify potential issues, and provide results back to the client, requesting any additional documentation if areas of concern or noncompliance are found.

Once SecureState is onsite, we will validate scope and that required controls are in place in accordance with PCI DSS Standards. We will thoroughly analyze and document the existing controls used to protect card holder data (CHD). Additionally, we will identify opportunities to mature your overall compliance program.

SecureState will document all of our efforts exhaustively, including reviewing the systems and network components within the cardholder environment. Our consultants will review and confirm scoping limitations to the PCI cardholder data environment (CDE) while also highlighting our interviews with key personnel on compliance activities.

Upon completion of the onsite assessment, the SecureState team will analyze evidence provided to validate controls as being compliant. They will document findings within the PCI SSC defined Report on Compliance (RoC) template.

Upon completion of requirement validation, SecureState will deliver the RoC and associated Attestation of Compliance (AoC) for review and countersignature. SecureState will also complete required submissions to the defined organizations for service providers. SecureState will then hold a closing call to recap the assessment and discuss areas for compliance program improvements.


Get Started!