An Attestation of Compliance (AoC) is the formal document signed by a Qualified Security Assessor (QSA) or authorized officer stating that an organization meets PCI DSS for a defined scope and period. Enterprises request AoCs from payment vendors, hosting providers, and any Level 1 service provider in the card data chain.
AoCs are scope-specific. A provider AoC for “tokenization services” may not cover your entire checkout if you also store PAN elsewhere. Procurement teams should map AoC scope statements to architecture diagrams, not treat them as blanket certifications.
AoCs expire annually. Stale documents are a red flag in vendor risk reviews. Pair AoC review with penetration test summaries, subprocessors lists, and incident history for a complete trust picture.
Veliro publishes PCI and SOC evidence through the trust center as attestations complete. Merchants use these artifacts in their own PCI programs to document outsourced functions and reduce duplicated control testing where responsibility matrices allow.
When your auditor questions a control, map it to the vendor responsibility matrix line item rather than re-performing the provider’s tests, that is the intended efficiency of outsourced tokenization.