What’s the Difference Between an SAQ and a RoC?

In today’s blog, we are going to focus on PCI compliance. If you are being asked to show that you are handling credit card information appropriately and are compliant with the PCI Data Security Standard (DSS), there are two ways this can be done, a Self Assessment Questionnaire (SAQ) or a Report on Compliance (RoC). Although they are both based on the same standard and requirements, the difference between an SAQ and a RoC can be significant. We will explore these differences.

Primary Differences Between an SAQ and a RoC

An SAQ is exactly what it sounds like, a self-assessment questionnaire. You are asked to fill it out yourself and to attest to your current compliance posture. No one is verifying or checking your work. With that being said, it is important to be truthful on these questionnaires because if your acquiring bank eventually finds out, there could be legal and financial ramifications for your company. But ultimately, you are filling it out yourself based on your understanding of your network. No outside resources are necessary and this process will only cost your time.

A RoC, however, is a much more involved process. A RoC requires a Qualified Security Assessor (QSA) to come in and audit your organization. A QSA is an organization with an auditor trained and certified by the PCI Council to perform these audits. A list of qualified companies, including Triaxiom Security, can be found here. This auditor will come in to assess and validate every requirement to ensure your organization is meeting the requirements as set forth in the PCI DSS. Of note, the auditor has to keep evidence of every control marked as compliant. This can include screenshots, notes from interviews, policies, router/firewall configurations, etc. This assessment typically lasts around 3 weeks, with the auditor onsite for about half that time. Additionally, because it is so involved, a RoC is much resource intensive in terms of cost and time.

When Would I Have to Fill Out a RoC?

If you are a merchant that accepts credit card payments, the golden answer to this question is simply “when your acquiring bank tells you to.” If they are willing to let you keep filling out an SAQ, go for it. However, if you want to be able to anticipate where this threshold is, it has to do with what level of merchant you are. There is more on that here, but essentially, if you are a level-1 merchant (usually based on number of transactions) you can expect to be required to complete a RoC. It is important to note that even if you are not a level-1 merchant, your acquiring bank may force you to go through the RoC process anyways if they determine you to be at high risk or fall into a special case.

If you are a service provider, again there are levels that are based on how many transactions you store, process, and/or transmit on behalf of your customers, or the number of cards you could impact the security of. The primary difference is that you most likely are not dealing with an acquiring bank, so it will be your clients who demand you have a RoC as opposed to an SAQ.


Hopefully this blog helps you understand the difference between an SAQ and a RoC. Please check out our other blogs for more details on both, including information about how to select the right SAQ, and what is involved with a QSA on-site evaluation. As always, feel free to reach out to us with any questions, or to get started with your assessment. Triaxiom can assist you with both filling out an SAQ or completing a full RoC.