The Report on Compliance (ROC) is the comprehensive and formal document that details the methodology, scope, and in-depth results of a PCI DSS assessment conducted by a Qualified Security Assessor (QSA) or Internal Security Assessor (ISA). It provides a thorough description of the controls in place and the evidence reviewed for each requirement. The ROC template requires formal attestation through signatures from both an executive officer of the entity being assessed and the lead assessor, thereby validating the findings documented within the report.

A. Security Assessment Questionnaire (SAQ): This is a self-validation tool for merchants and service providers to report on their compliance status; it is not a detailed report co-signed by an external assessor.

B. Attestation of Compliance (AOC): This document is a summary declaration that attests to the compliance status found in a ROC or SAQ, not the detailed report that describes the assessment results.

D. Letter of Approval (LOA): This term is associated with the validation of payment applications under standards like PA-DSS or the PCI Software Security Framework (SSF), not a report on an entity's overall PCI DSS compliance.

1. PCI Security Standards Council. (2022). Report on Compliance for Payment Card Industry (PCI) Data Security Standard (DSS) v4.0. The template's purpose is to provide a "report of the results of an entity’s PCI DSS assessment." Page 5 includes the required signature blocks for the "Assessed Entity Executive Officer" and the "Qualified Security Assessor (QSA)".

2. PCI Security Standards Council. (2022). Attestation of Compliance for Onsite Assessments – Merchants, PCI DSS v4.0. Part 2, "Report on Compliance," explicitly states: "This Attestation of Compliance is based on the results noted in the Report on Compliance (ROC) dated (completion date of ROC)..." This confirms the ROC is the primary descriptive document from which the AOC is derived.

3. PCI Security Standards Council. (2022). Payment Card Industry (PCI) Data Security Standard Requirements and Testing Procedures version 4.0. Section 5.3, "Validation of PCI DSS Compliance," describes that entities required to submit a Report on Compliance (ROC) must have a formal assessment performed by a QSA.