Frequently Asked Question

For PCI DSS assessments documented in a Report on Compliance (ROC), the Date of Report is considered the completion date for the PCI DSS assessment. This denotes the date when the QSA Company and assessed entity agree on the final version of the ROC.

The Date of Report can be found in the:

• ROC, in Section 1.2.
• ROC Attestations of Compliance (AOCs), on the AOC cover page and in Section 3 at the start of Part 3.
  
  

The ROC AOC also includes the following:

• Part 3b Merchant (or Service Provider) Attestation, for the Merchant or Service Provider Executive officer’s signature and signing date.
• Part 3c Qualified Security Assessor (QSA) Acknowledgement, for the Duly Authorized Officer of the QSA Company’s signature and signing date.
  
  

The signature dates noted above are expected to be the same date as, or within a reasonable timeframe after (for example, within two or three weeks), the Date of Report. These signature dates acknowledge that the ROC and ROC Date of Report are accurate; these dates do not indicate the completion date for a PCI DSS assessment.

Refer any questions about these dates, including about acceptable reasonable timeframes between dates, to the entity to which the document (the ROC or AOC) will be submitted. This is typically an acquirer (merchant bank) or the payment brands. Contact details for the payment brands can be found in FAQ 1142 How do I contact the payment card brands?

Refer to the following related FAQs:

FAQ 1458: What date should be used for "Date of Report" in the ROC?

FAQ 1356: What does "Duly Authorized Officer" mean?

FAQ 1375: Can an Attestation of Compliance (AOC) be provided to an assessed entity before the Report on Compliance (ROC) is finalized?