No, an Attestation of Compliance (AOC) cannot be provided to an assessed entity before the Report on Compliance (ROC) is finalized. The AOC must be completed as a  declaration of the results of the assessment with lile Payment Card lndustry Data Security Standard Requirements and Security Assessment Procedures (PCI DSS).

Within “Section 2: Report on Compliance of the AOC, it is stated that the AOC retlects the results of an onsite assessment, which is documented in an accompanying Report on Compliance (ROC)” and there the assessor must provide the date of the assessment documented in  the attestation and in the ROC, wich again enforces the intent that ile ROC is finalized prior to the execution of the AOC.


February 2016

Article Number 1375