Glossary
ROC (Report on Compliance)
The ROC, or Report on Compliance, is a comprehensive document that outlines the results of an entity's assessment against the PCI DSS (Payment Card Industry Data Security Standard) requirements. This report is critical for organizations that handle large volumes of cardholder data and are required to formally validate their compliance with PCI DSS standards annually.
The ROC is prepared by a Qualified Security Assessor (QSA) or an Internal Security Assessor (ISA) who has been certified to assess PCI compliance. The report provides a detailed review of the organization’s adherence to the specific security controls and processes mandated by the PCI DSS. These controls include but are not limited to maintaining a secure network, protecting cardholder data, maintaining a vulnerability management program, implementing strong access control measures, regularly monitoring and testing networks, and maintaining an information security policy.
In preparing an ROC, the assessor will:
The ROC serves several purposes:
Completion and submission of the ROC to the relevant parties (such as banks and card networks) are essential steps in maintaining compliance status and demonstrating a commitment to the security of cardholder data. For larger organizations, maintaining compliance and ensuring that all elements are accurately reflected in the ROC is a significant, ongoing task that requires continuous monitoring and updating of security measures.