PCI DSS Compliance: How to Choose Between SAQ and ROC

July 7, 2026 | PCI DSS

One of the most common questions organizations face when pursuing PCI DSS compliance is whether they need to complete a Self-Assessment Questionnaire (SAQ) or a Report on Compliance (ROC). While both are used to demonstrate compliance with PCI DSS, they serve different purposes and are intended for different types of organizations:

  • An SAQ offers a streamlined approach to PCI DSS compliance for eligible organizations. 
  • A ROC provides a more comprehensive assessment and a higher level of assurance.
  • Regardless of which option you pursue, both are typically accompanied by an Attestation of Compliance (AOC), a document used to formally demonstrate compliance to customers, payment processors, and other stakeholders.

Here’s how to decide which path is right for your organization.

What is a Report on Compliance (ROC)?

A PCI DSS Report on Compliance (ROC) is a detailed assessment performed by a Qualified Security Assessor (QSA) following a thorough review of an organization’s cardholder data environment (CDE).

The ROC evaluates whether your organization complies with PCI DSS requirements and whether it has established and implemented effective controls for protecting cardholder data. If applicable, the report may also document areas of noncompliance and recommendations for improvement.

Organizations that process high volumes of payment card transactions are often required to complete a ROC. For example, merchants processing six million or more transactions annually, or service providers handling over 300,000 transactions annually, are generally required to undergo a ROC assessment. However, some smaller organizations also choose to complete a ROC to satisfy customer requirements or differentiate themselves from competitors.

Because of its depth and level of assurance, a ROC is often considered the most comprehensive method of demonstrating PCI DSS compliance. Depending on the complexity of the environment being assessed, the process can take anywhere from three to six months to complete.

What is a Self-Assessment Questionnaire (SAQ)?

For organizations that are not required to complete a ROC, a Self-Assessment Questionnaire (SAQ) can be a good option.

An SAQ is a PCI DSS assessment that organizations can complete on their own or with assistance and/or validation from a QSA, whose involvement is often determined by external stakeholders such as clients or partners. The questionnaire includes a series of questions designed to evaluate an organization’s security controls and identify any gaps that must be addressed to achieve compliance.

There are multiple types of SAQs designed for different business models and environments, including e-commerce businesses, retail organizations, and cloud service providers. The appropriate SAQ depends on how an organization handles payment card data and the technologies involved in payment processing.

For example, organizations that fully outsource payment processing to a PCI-compliant third-party service provider and do not store, process, or transmit cardholder data on their own systems may qualify for SAQ A. Organizations that maintain functionality on their payment pages that could impact the security of payment transactions may instead qualify for SAQ A-EP.

Compared to a ROC, an SAQ generally requires less time, effort, and documentation. However, organizations should not assume that an SAQ is automatically the right choice. Eligibility depends on specific PCI DSS criteria, transaction volumes, and customer expectations.

SAQ vs. ROC: What’s the Difference?

The biggest difference between an SAQ and a ROC is the level of assessment and reporting involved.

A ROC is a comprehensive assessment performed by a QSA and results in detailed reporting about an organization’s compliance with PCI DSS requirements. It is often required for larger merchants, service providers, or organizations with a complex CDE.

While an SAQ still evaluates compliance with PCI DSS requirements, it is generally less intensive and can be completed by the organization itself, with or without QSA assistance.

The decision between an SAQ and a ROC is not always based solely on transaction volume. Customer requirements, contractual obligations, and the nature of an organization’s environment can also influence which assessment approach is appropriate.

Where Does the AOC Fit In?

Whether your organization completes an SAQ or a ROC, the process typically culminates in an Attestation of Compliance (AOC).

An AOC is a formal document used to attest that an organization has completed its PCI DSS assessment and complies with applicable requirements. The document includes information about the scope of the assessment, the assessment results, and the organization’s compliance status.

The AOC is commonly shared with payment processors, customers, partners, and other stakeholders who require evidence of PCI DSS compliance.

Think of the ROC or SAQ as the assessment itself, while the AOC serves as the formal declaration of the assessment results. In practice, many organizations may be asked to provide their AOC as proof of compliance without sharing the full assessment documentation.

How to Determine Which Option Is Right for Your Organization

The right assessment path depends on several factors, including:

  • Annual payment card transaction volume;
  • Whether you are a merchant or service provider;
  • How your organization processes payment transactions;
  • Whether cardholder data is stored, processed, or transmitted within your environment;
  • Customer and acquiring bank requirements; and,
  • The complexity of your CDE.

For organizations with simpler environments that fully outsource payment processing, an SAQ may provide an efficient path to compliance. Organizations with larger transaction volumes, more complex environments, or customer-driven requirements may need—or choose—to pursue a ROC instead.

Because PCI DSS scoping and assessment requirements can be complex, many organizations work with a QSA firm like BARR Advisory to determine their eligibility, validate their scope, and ensure the assessment process goes smoothly.

Ready to get started? Contact us today for a free consultation.

Let's Talk