Should part 4 of an AOC be left blank?
A slightly controversial topic among the PCI-pedantic such as myself. And nothing in the FAQ on the topic 🙁 A quick survey of AOCs by 9 different QSACs shows a split of 6 check YES and 3 leave it BLANK. A discussion among PCI professionals shows a great variety of approaches being undertaken, including variations on plugging N/A into the remediation date column.
And the analytical among you may wonder, who cares? Well that was my opinion too until a payment facilitator refused to accept a compliant AOC from a merchant with a blank Part 4 while they were setting up their new merchant account. They claim it was “incomplete” and that the assessor would need to edit the document (and promise that next year’s was completed too).
Argument for blank Part 4
- The title does say “for non compliant requirements” and if your requirements are compliant, the wording suggests it is non-applicable.
- Anecdotal evidence of QSACs who have received the instruction “leave it blank” from the council when undergoing an AQM (Quality Review from the council (PCI SSC)).
- EVERY merchant and service provider AOC form say that you should check with the card brands (service providers and merchants) or “your acquirer” (merchants) before completing Part 4. Both the self assessment forms AND the onsite compliance forms. I dont think this commonly occurs, leaving me to think that most AOCs have (or should have) a blank Part 4.
- This PCI ramblings blog says: It is unlikely that this section will be completed as this is used for AOCs that are Non-Compliant.
- The Council’s Assessor training includes the following text:
An entity submitting an attestation with a status of non-compliant may be required to complete the Action Plan for non-compliant status, in the AOC.
There is no mention of what a status of compliant should do, but it seems logical to infer that it is NOT complete the Action Plan.
Argument to complete Part 4
- There are “COMPLIANT” boxes you can check off! Why wouldn’t you?
- Anecdotal evidence of QSACs who have received the instruction “leave nothing blank” from the council when undergoing an AQM (Quality Review from the council (PCI SSC)).
There is no clear guidance. Based on the info above:
If you are a QSA completing the AOC, ensure your quality assurance process documents your company’s standards and be consistent. And let us all know how it goes during your quality assurance review with the council!
If you are completing a Self Assessment, either way would be good enough for me!
If you are relying on the Attestation of Compliance for verifying an entity’s compliance status, a blank or completed part 4 does not make a material impact, and either seems acceptable to me!
Ad below this line: