Frequently Asked Question

For PCI DSS assessments documented in a Self-Assessment Questionnaire (SAQ), the Self-Assessment completion date denotes the date the PCI DSS self-assessment was completed, either by the entity, or, if applicable, by a Qualified Security Assessor (QSA) or Internal Security Assessor (ISA). The Self-Assessment completion date can be found at the start of Section 2 in each SAQ, and in the SAQ Attestations of Compliance (AOCs) in Section 3 at the start of Part 3.

Each SAQ Attestation of Compliance (AOC) also includes Part 3b Merchant (or Service Provider) Attestation, for the Merchant or Service Provider Executive officer’s signature and signing date. This signature date is expected to be the same date as, or within a reasonable timeframe after (for example, within two or three weeks), the Self-Assessment completion date. The signature acknowledges that the SAQ and Self-Assessment completion date are accurate; this date does not indicate the completion date for the assessment.

Refer any questions about these dates, including about acceptable reasonable timeframes between dates, to the entity to which the document (the SAQ or AOC) will be submitted. This is typically an acquirer (merchant bank) or the payment brands. Contact details for the payment brands can be found in FAQ 1142 How do I contact the payment card brands?