Frequently Asked Question
What date should be used for "Date of Report" in the ROC?
The "Date of Report" indicates the completion date of the ROC, and therefore must be no earlier than the date on which the QSA completed collection and validation of corresponding evidence to support the QSA's findings documented in the ROC.
Further, the ROC should not be considered complete until all reporting within the ROC is finalized, including completion of all internal quality assurance activities.
Note: Per the QSA Program Guide, the dates of the ROC and AOC cannot predate completion of the PCI DSS Assessment, and the date of the AOC cannot predate the corresponding ROC. As a matter of accuracy, the date of the ROC and AOC should not be in the future. See also Can an Attestation of Compliance (AOC) be provided to an assessed entity before the Report on Compliance (ROC) is finalized?
Further, the ROC should not be considered complete until all reporting within the ROC is finalized, including completion of all internal quality assurance activities.
Note: Per the QSA Program Guide, the dates of the ROC and AOC cannot predate completion of the PCI DSS Assessment, and the date of the AOC cannot predate the corresponding ROC. As a matter of accuracy, the date of the ROC and AOC should not be in the future. See also Can an Attestation of Compliance (AOC) be provided to an assessed entity before the Report on Compliance (ROC) is finalized?
July 2019
Article Number: 1458
