Every business that accepts card payments must prove that they can handle customer data securely. Payment Card Industry (PCI) attestation is the formal process that shows your payment systems meet industry security standards. Typically, this is what banks and payment partners review before they approve you to handle transactions at scale.

With the average global cost of a data breach reaching $4.4 million in 2025, demonstrating compliance is an important financial safeguard against the growing cost of data exposure. Below, we’ll explain what the Attestation of Compliance (AOC) is, how the process works, the requirements behind it, and its benefits—and challenges—for businesses.

What’s in this article?

• What is PCI attestation?
  
• How does the PCI attestation process work?
  
• What are the PCI DSS requirements for attestation?
  
• What types of PCI attestation exist?
  
• How do you complete the PCI Attestation of Compliance form?
  
• What are the main benefits of PCI attestation?
  
• What challenges do businesses face with PCI attestation?
  
• How Stripe Payments can help
  

What is PCI attestation?

PCI attestation is the formal declaration that your business complies with the Payment Card Industry Data Security Standard (PCI DSS). It comes in the form of the Attestation of Compliance: a short document that confirms you’ve implemented the required security controls to protect cardholder data.

The AOC is signed either by an independent Qualified Security Assessor (QSA) or by an authorized executive after you complete a Self-Assessment Questionnaire (SAQ). It summarizes how your PCI assessment was conducted, what was reviewed, and whether you met the requirements. Larger businesses usually undergo QSA audits, while smaller ones rely on the SAQ.

An attestation is valid for 12 months, after which it must be renewed. Unlike the detailed Report on Compliance (ROC), which stays internal, the AOC is the document you share with banks, partners, or clients as proof that your payment systems meet industry standards.

How does the PCI attestation process work?

PCI attestation is one step in a longer cycle: scope, secure, assess, attest, and maintain. Each phase ensures cardholder data is identified, protected, tested, and continuously monitored.

Here’s a step-by-step look at the attestation process:

• Define scope and level: Map out where card data lives in your systems and determine your merchant level based on transaction volume. This dictates how rigorous your assessment must be.

• Put controls in place: Implement the PCI DSS requirements, which include firewalls, encryption, access restrictions, monitoring, and training. This stage is usually the most arduous, since it can involve system upgrades, configuration changes, and new policies.

• Assess compliance: Smaller merchants (Levels 2–4) complete SAQs that are customized to their setups. Large merchants (Level 1) undergo an on-site audit by a QSA, resulting in a detailed ROC. Either way, you’ll also need to do vulnerability scans or penetration tests, especially for online environments.

• Remediate gaps: Your business might not pass on the first try. Common reasons for this include missing patches, weak password rules, or unsegmented networks. Compensating controls are allowed, but they must be documented and justified.

• Complete the AOC: Once issues are resolved, fill out the official AOC form with company info, scope of assessment, compliance summary, and signatures from an executive (and a QSA, if one is involved). This becomes your proof of compliance for banks and partners.

• Maintain compliance year-round: Quarterly scans, system monitoring, and staff training keep you aligned with the standard until the next annual renewal.

What are the PCI DSS requirements for attestation?

To sign an Attestation of Compliance, a business has to show it meets the 12 PCI DSS requirements. They cover everything from network security to employee training. While the 12 requirements are broad, each breaks down into many subrequirements—more than 300 in total. At a high level, they correspond to commonsense practices for safeguarding cardholder data.

These are the 12 requirements:

• Firewalls: Maintain strong network defenses to keep unauthorized traffic away from cardholder data.

• No defaults: Change vendor-supplied passwords and settings.

• Data storage: Only store cardholder data if it’s absolutely necessary, and render it unreadable through encryption or tokenization. Never store sensitive data such as card verification value (CVV) codes.

• Encryption in transit: Protect card data as it moves over open networks using strong cryptography—for example, Transport Layer Security (TLS).

• Malware defenses: Keep antivirus and antimalware software active and up-to-date across systems.

• Patch management: Apply security updates promptly and follow secure development practices for any custom code.

• Access control: Limit data access strictly to people who need it for their jobs.

• User authentication: Give every user a unique ID, enforce strong passwords, and require multifactor authentication where applicable.

• Physical safeguards: Restrict physical access to servers, terminals, and storage areas that hold card data.

• Logging and monitoring: Track and review activity on systems that touch card data.

• Testing: Run regular scans, penetration tests, and system checks to confirm defenses are working.

• Policy and training: Document security policies, keep them current, and train employees to follow them.

Not every requirement applies in every environment. Businesses that never store card data, for instance, can mark storage controls as “not applicable.” But organizations will typically need to address all 12 in some way. PCI DSS v4.0.1, the newest version, emphasizes flexibility while keeping these fundamentals intact.

What types of PCI attestation exist?

The way you validate PCI compliance depends on your transaction volume and role in the payment chain. There are two main routes: SAQ and QSA audit. PCI rules dictate which one applies to your business.

SAQ

Small and midsize businesses, classified as Level 2 to Level 4 merchants under PCI standards, complete SAQs. Your merchant level depends mainly on how many card transactions you process each year: Level 1 is for the largest enterprises, while Levels 2–4 apply to businesses that handle fewer transactions. The SAQ is a standardized set of yes-or-no questions that cover the PCI requirements, with versions specific to different payment setups (e.g., SAQ A for fully outsourced ecommerce, SAQ D for businesses that store card data). You select the right SAQ based on how you handle cardholder data. Once it’s complete, an executive signs the Attestation of Compliance form to certify that the answers are accurate.

QSA audit

Level 1 merchants and large service providers are subject to QSA-led audits. The assessor reviews systems, policies, and controls in detail, then produces an ROC and AOC. The AOC in this case includes the QSA’s signature to confirm that an independent review was conducted.

Service providers have their own levels and often have stricter requirements than merchants. In all cases, the end product is the same: an AOC that documents how the assessment was done and who verified it.

How do you complete the PCI Attestation of Compliance form?

By the time you reach the Attestation of Compliance, the hard work is already done. The form is a record of your assessment, not the assessment itself. Accuracy and clarity matter here, since this is the document you’ll share with banks or partners. Here’s how to complete it:

• Start with the correct form: The PCI Security Standards Council publishes different AOC templates for merchants and service providers and for SAQ-based assessments and QSA-led audits. Using the wrong one can cause delays.

• Fill in business details: Enter company information, contact details, and the date of your assessment. This ties the attestation to your organization.

• Describe your cardholder data environment: Note the payment channels you use, which systems and locations are in scope, and which third-party providers are involved. Be precise. This section defines the boundaries of your compliance.

• Summarize compliance: The form lists the 12 PCI DSS requirement areas. Mark each as “in place,” “not in place,” or “not applicable.” Ideally, everything’s in place by the time you sign.

• Sign and submit: An executive always signs the AOC, and a QSA adds their signature for Level 1 audits. If any requirements weren’t met, include a documented action plan for remediation.

Once the AOC is complete, review it carefully, submit it to your acquirer, and keep a copy on file.

What are the main benefits of PCI attestation?

PCI attestation confirms your business has met the security standard that the card networks expect. That confirmation brings advantages such as stronger defenses against breaches, greater confidence from customers, and fewer barriers when you work with partners.

Here’s a closer look at how PCI attestation can benefit your business:

• Customer trust: Completing attestation shows you take data protection seriously, which reassures customers and partners who rely on you to safeguard card details.

• Lower risk: Following the PCI framework lowers the odds of a costly breach by enforcing controls such as encryption, monitoring, and regular testing.

• Fewer penalties: Noncompliance can lead to fines and liability after a breach. An AOC helps demonstrate due diligence and might limit exposure.

• Access to more partners: Some partners require proof of PCI compliance to do business. Having an AOC ready removes barriers and can even create new opportunities.

• Smaller compliance scope (with the right provider): Using a Level 1 service provider like Stripe means sensitive data often never touches your systems. This simplifies your own obligations and makes the attestation process easier.

What challenges do businesses face with PCI attestation?

Achieving PCI attestation requires time, coordination, and a clear understanding of the standard.

The main obstacles fall into a few categories:

• Defining scope: One of the hardest steps is mapping exactly where cardholder data flows. Miss a database or backup and you risk leaving part of your environment unsecured. Scope mistakes also cause you to choose the wrong SAQ, which can invalidate your attestation.

• Complexity and scale: The PCI DSS contains more than 300 controls across 12 requirements. For smaller teams, this can feel overwhelming. Meanwhile, larger companies have to coordinate changes across many departments and systems. No matter the size of the business, documentation and evidence gathering take time.

• Maintaining compliance: Treating PCI attestation as an annual exercise can be risky. Controls can drift out of place, and new systems can go live without proper safeguards. PCI DSS v4.0.1 pushes for continuous monitoring to counter this “checkbox” approach.

• Changing requirements: Standards change. PCI DSS v4.0.1 introduced new rules on authentication, testing, and risk analysis. Businesses need to stay current and adapt quickly when requirements shift.

• Accuracy and honesty: The attestation is a legal statement. Incomplete or inaccurate responses, or glossing over compensating controls, can come back to haunt you if a breach occurs.

• Cost: Independent audits, security tools, scans, and staff time all add up. These expenses can feel heavy for small businesses, although the financial impact of noncompliance is far higher.

These challenges are solvable with planning, the right expertise, and, in many cases, the right partners.

How Stripe Payments can help

Stripe Payments provides a unified, global payment solution that helps any business—from scaling startups to global enterprises—accept payments online, in person, and around the world.

Stripe Payments can help you:

• Optimize your checkout experience: Create a frictionless customer experience and save thousands of engineering hours with prebuilt payment UIs, access to 125+ payment methods, and Link, a wallet built by Stripe.

• Expand to new markets faster: Reach customers worldwide and reduce the complexity and cost of multicurrency management with cross-border payment options, available in 195 countries across 135+ currencies.

• Unify payments in person and online: Build a unified commerce experience across online and in-person channels to personalize interactions, reward loyalty, and grow revenue.

• Improve payment performance: Increase revenue with a range of customizable, easy-to-configure payment tools, including no-code fraud protection and advanced capabilities to improve authorization rates.

• Move faster with a flexible, reliable platform for growth: Build on a platform designed to scale with you, with 99.999% historical uptime and industry-leading reliability.

Learn more about how Stripe Payments can power your online and in-person payments, or get started today.