Validation route and reporting guide

Understand PCI DSS Validation Before You Submit Evidence

Guide to PCI DSS validation terms including SAQ, AOC, ROC, QSA, ASV scans, merchant/service-provider validation, and readiness preparation.

Determine requesterConfirm eligibilityPrepare evidence
01

Validation Terms

An SAQ is a self-assessment questionnaire used by many merchants. An AOC is an attestation of compliance. A ROC is a report on compliance, commonly associated with a formal assessment. A QSA is a PCI SSC-qualified assessor organization. An ASV is an approved scanning vendor for external vulnerability scanning.

The right validation path depends on the requesting organization, payment brand, acquirer, merchant level, service-provider role, and payment architecture.

02

Readiness Before Validation

Before signing or submitting anything, the business should review scope, payment flows, technical controls, policies, evidence, vulnerability scans, access control, logging, vendor records, and remediation status.

Readiness work reduces the chance of discovering basic gaps during a stressful validation process.

03

How OC Security Audit Fits

OC Security Audit can prepare the organization, organize evidence, identify technical gaps, coordinate remediation priorities, and help your IT team or MSP understand what a QSA or requesting organization may ask for.

OC Security Audit does not replace a required QSA, acquirer, payment brand, legal advisor, or formal validation authority.

Validation Terms Decide the Evidence Burden

SAQ, AOC, ROC, QSA, and ASV are not interchangeable labels. They describe different ways a business may need to validate or support PCI DSS compliance depending on role, payment architecture, transaction volume, customer requests, acquirer expectations, and service-provider obligations.

A rushed validation process often fails because the environment was never scoped carefully and the evidence does not match the answers.

Validation Dossier Structure

Scope packet

Payment-flow diagrams, CDE inventory, segmentation explanation, vendor list, and storage review.

Control packet

Policies, procedures, access control, MFA, logging, vulnerability management, secure configuration, and incident-response evidence.

Testing packet

External scans, internal scans, penetration-test or segmentation-test support where applicable, remediation tickets, and retest proof.

Third-party packet

Vendor AOCs, shared-responsibility notes, support access controls, contracts, processor documentation, and escalation contacts.

Before You Sign or Submit

  1. 01

    Reconcile scope

    Make sure the validation document describes the real payment environment and not an outdated diagram.

  2. 02

    Validate evidence age

    Use current evidence that reflects today’s systems, not old screenshots taken before major changes.

  3. 03

    Resolve open findings

    Failed scans, missing MFA, weak segmentation, and unclear vendor access should have closure or documented risk treatment.

  4. 04

    Confirm responsibility

    Know whether the merchant, processor, MSP, QSA, ASV, hosting provider, or software vendor owns each requested item.

How OC Security Audit Supports the Validation Conversation

OC Security Audit can prepare the business for conversations with processors, customers, acquirers, QSAs, ASVs, and IT providers by organizing the technical reality before the formal response is submitted.

This readiness work improves clarity, but it does not replace a required QSA, acquirer instruction, payment-brand decision, legal review, or formal validation authority.

Written for: Business owners, CFOs, IT managers, compliance coordinators, and service providers preparing for PCI DSS validation.

Validation Terms and Preparation Records

Use this table to match common PCI DSS validation terms with the evidence conversation behind them.

TermMeaningWhat to prepare
SAQSelf-assessment questionnaireAccurate scope and control evidence
AOCAttestation of complianceSigned representation of validation outcome
ROCReport on complianceFormal assessment evidence and testing
ASVApproved scanning vendorExternal scan remediation and passing scans

Validation authority depends on the requesting organization

PCI SSC publishes assessment documents and qualification programs but does not enforce compliance or set every validation requirement. Confirm the route with the acquirer, payment brand, or requester. Read the PCI SSC validation FAQ.

Contents of a submission-ready validation file

Requester record

Retain the original instruction, portal notice, contract requirement, merchant or service-provider designation, entity, merchant identifier, locations, payment channels, reporting period, deadline, and contact who can answer program questions.

Eligibility analysis

Compare every eligibility condition in the current assessment document with the real architecture. Cite payment-flow evidence, provider implementation, terminal design, data storage conclusion, ecommerce element origin, network relationship, and any exception requiring requester clarification.

Assessment support

Index applicable requirements to the implementation, owner, evidence, sample, test result, open finding, compensating or customized control process, and management decision. Keep working papers protected and separate factual evidence from drafts or unsupported assumptions.

Submission history

Preserve signed forms, final reports, scan attestations, portal confirmations, clarification questions, corrected versions, acceptance messages, and next due date. Record changes from the prior period so a different answer can be explained through architecture or program evidence.

Avoid validation rework by resolving evidence questions early

Questionnaire eligibility should be documented statement by statement against the actual payment architecture. Record the processor and service-provider implementation, origin of payment-page elements, terminal connectivity, data storage, network relationship, and any system that can influence payment security. If one eligibility condition is not met, the organization should not select the form because it appears shorter or was used in a prior year.

An Attestation of Compliance represents assessment results; it should follow technical and management review. Before signature, reconcile entity names, locations, payment channels, scope, exceptions, compensating controls, service providers, scan status, and open findings. The signatory should understand which statements depend on provider evidence and which remain the organization's responsibility.

Qualified Security Assessors and Approved Scanning Vendors have defined roles. A QSA assessment, ASV scan, internal vulnerability scan, penetration test, forensic investigation, and readiness review are not substitutes for one another. Engagement documents should state the service, scope, deliverable, qualification, evidence handling, retest expectations, and who accepts the result.

Maintain a validation history that includes requester instructions, submitted forms, portal confirmations, clarification questions, provider documents, scope changes, scan reports, remediation, management approvals, and the next due date. That history reduces contradictory answers and helps the next reviewer understand why the validation route changed after a new system or payment channel.

Validation Details That Reduce Rework

The validation route should not be chosen by guessing from a form title. A business should review the payment architecture, requester instructions, merchant or service-provider role, transaction context, external exposure, and vendor documentation before selecting a response path.

Good preparation also prevents over-answering. When hosted payment methods, tokenization, or segmentation reduce scope, the business should be able to show why fewer systems are included, not merely claim they are outside the environment.

Management review before submission

Before signing, present open findings, temporary safeguards, unsupported evidence, provider dependencies, eligibility assumptions, scan status, and unresolved requester questions to the authorized business owner. The review should distinguish a control that is effective, a control with an approved exception, and a statement that cannot yet be supported.

If the environment changed during the reporting period, preserve the change history and explain its effect on scope, questionnaire eligibility, testing, and provider reliance. A transparent record is stronger than forcing the current environment into the same validation route used last year.

Prepare the dossier before anyone signs

The evidence manual helps create a defensible submission record. The testing guide keeps scan and retest proof connected to the systems in scope.

PCI DSS Policies, Procedures, and Evidence Checklist: Create a traceable evidence repository before formal submission.

PCI DSS Vulnerability Scanning, Penetration Testing, and ASV Readiness: Prepare the scan, finding, remediation, and retest record required by the environment.

PCI DSS Compliance in Orange County: Reconnect validation preparation to the broader Orange County payment-security program.

Readiness support can prepare the organization without misrepresenting the role of the acquirer, payment brand, QSA, ASV, or other requester. Contact OC Security Audit.

Prepare for validation without confusing readiness and attestation

Ali Hassani organizes architecture, control evidence, scan history, vendor responsibility, remediation status, and executive decisions before formal submission.

Ali Hassani is a CISO, cybersecurity and IT consultant, and infrastructure leader with 25+ years of experience. His credentials include CISSP, CCISO, CCNP, CCNA, MCSE, MCSA Security, MCITP, MCP, and MCTS.