Frequently Asked Question
Can the AOC be redacted to protect sensitive information?
Examples of AOC sections that might contain information considered to be sensitive include:
- Part 2c. Locations: Information in the “Location(s) of facility” column
- Part 2d. Payment Applications: Details of Payment Application Name, Version Number, and Application Vendor
- Part 2e. Description of Environment
Note: It is not permitted to redact any content from the signed AOC prior to submitting to a payment brand or acquirer for compliance validation purposes.
See also FAQ #1220: Are compliance certificates recognized for PCI DSS validation?