Frequently Asked Questions

< Back to search page

Do QSAs and ASVs need to send reports of compliance (ROCs) or scanning results to the PCI Security Standards Council directly?

FAQ Response

No. QSAs and ASVs do not send reports of compliance or scanning results to the PCI Security Standards Council, and they should continue to follow the payment brand specific procedures.

February 2008
Article Number 1014

Does a QSA need to be onsite at the client’s premises for all aspects of a PCI DSS assessment?

What date should be used for “Date of Report” in the ROC?

How can I determine whether a QSA is authorized to perform PCI DSS assessments in all countries that are in scope for my company’s PCI DSS assessment?

Are operating systems that are no longer supported by the vendor non-compliant with the PCI DSS?

What does “Servicing Markets” on the QSA listing mean?

Frequently Asked Questions

Do QSAs and ASVs need to send reports of compliance (ROCs) or scanning results to the PCI Security Standards Council directly?

Related Articles