PCI-DSS compliance validation requires specific documentation depending on your organisation's merchant level and service provider status. The Documentation module in Venvera helps you manage all compliance-related documents, track review cycles, and maintain an audit-ready document repository.
SAQ Types
Self-Assessment Questionnaires (SAQs) are validation tools for merchants and service providers not required to undergo a full on-site assessment:
| SAQ Type | Applies To | Scope |
|---|---|---|
| SAQ A | Card-not-present merchants (e-commerce, MOTO) that fully outsource all cardholder data functions | 22 requirements |
| SAQ A-EP | E-commerce merchants that partially outsource payment processing (website impacts transaction security) | 139 requirements |
| SAQ B | Merchants using only imprint machines or standalone dial-out terminals with no electronic CHD storage | 41 requirements |
| SAQ C | Merchants with payment applications connected to the internet, no electronic CHD storage | 160 requirements |
| SAQ D (Merchants) | All merchants not qualifying for another SAQ type | All requirements |
| SAQ D (Service Providers) | Service providers eligible for SAQ validation | All requirements + SP-specific |
Report on Compliance (ROC)
A ROC is required for:
- Level 1 merchants (over 6 million transactions annually for Visa/Mastercard)
- Level 1 service providers (over 300,000 transactions annually)
- Any entity that has experienced a cardholder data breach
- Any entity required by their acquirer to undergo a full assessment
The ROC is produced by a QSA (or ISA for merchants) after an on-site assessment and includes detailed findings for every PCI-DSS requirement.
Attestation of Compliance (AOC)
The AOC is a formal declaration signed by the assessed entity and/or QSA confirming PCI-DSS compliance status. There are separate AOC forms for:
- Each SAQ type
- ROC-based assessments (merchants and service providers)
The AOC is typically the document shared with acquirers, card brands, and business partners to demonstrate compliance.
Document Management
Venvera's document management capabilities include:
- Version control — Track document versions, authors, and change history
- Status tracking — Draft, Under Review, Approved, Superseded, Retired
- Review cycles — Set next review dates and receive reminders when reviews are due
- PCI requirement mapping — Link each document to the specific PCI-DSS requirement it supports
- Owner assignment — Assign document owners responsible for maintenance and review
- Effective dates — Track when each document became effective and when it was last reviewed
Policy Requirements
PCI-DSS Requirement 12 mandates that an information security policy be established, published, maintained, and disseminated to all relevant personnel. Key policy areas include:
- Information security policy (overarching)
- Acceptable use policies for critical technologies
- Remote access policy
- Vendor/service provider management policy
- Incident response plan
- Data classification and handling policy
- Data retention and disposal policy
- Change management policy
- Risk assessment methodology
Review Cycles
PCI-DSS requires policies to be reviewed at least annually and updated when the environment changes (Requirement 12.1.2). Venvera tracks review schedules and highlights documents that are:
- Overdue — Past the scheduled review date
- Due soon — Within 30 days of the next review date
- Current — Reviewed within the required timeframe
QSA Engagement
If your organisation requires a ROC or engages a QSA for advisory services, track the engagement in Venvera:
- QSA company name and assessor details
- Assessment scope and timeline
- Interim findings and remediation tracking
- Final ROC and AOC document storage