Frequently Asked Questions

< Back to search page

Do QSAs and ASVs need to send reports of compliance (ROCs) or scanning results to the PCI Security Standards Council directly?

FAQ Response

No. QSAs and ASVs do not send reports of compliance or scanning results to the PCI Security Standards Council, and they should continue to follow the payment brand specific procedures.

February 2008
Article Number 1014

Does a QSA need to be onsite at the client’s premises for all aspects of a PCI DSS assessment?

Are operating systems that are no longer supported by the vendor non-compliant with the PCI DSS?

How can I determine whether a QSA is authorized to perform PCI DSS assessments in all countries that are in scope for my company’s PCI DSS assessment?

What does “Servicing Markets” on the QSA listing mean?

What date should be used for “Date of Report” in the ROC?

Frequently Asked Questions

Do QSAs and ASVs need to send reports of compliance (ROCs) or scanning results to the PCI Security Standards Council directly?

Related Articles