There areseparate Attestation of Compliance (AOC) templatesfor different use cases, specifically formerchantsandservice providers, and forSAQsversusROCs. Each template is tailored to match the reporting needs of that assessment type.
Option A:✅Correct. PCI SSC publishes distinct AOC templates depending on whether the entity is a merchant or service provider, and depending on whether they are completing an SAQ or ROC.
Option B:❌Incorrect. The AOC is not signed by PCI SSC. It must be signed by the assessed entity and, where applicable, the QSA or ISA.
Option C:❌Incorrect. ROCs and SAQs use different AOC formats.
Option D:❌Incorrect. Both the entity and the assessor (if applicable)mustsign.
[References:, PCI DSS v4.0.1 – Section 11: Instructions and Content for Report on Compliance, Attestation of Compliance for Report on Compliance – Service Providers(uploaded) – Pages 1–2., , , ]
Submit