Frequently Asked Questions

< Back to search page

What date should be used for “Date of Report” in the ROC?

FAQ Response

The “Date of Report” indicates the completion date of the ROC, and therefore must be no earlier than the date on which the QSA completed collection and validation of corresponding evidence to support the QSA’s findings documented in the ROC.

Further, the ROC should not be considered complete until all reporting within the ROC is finalized, including completion of all internal quality assurance activities.
 
Note: Per the QSA Program Guide, the dates of the ROC and AOC cannot predate completion of the PCI DSS Assessment, and the date of the AOC cannot predate the corresponding ROC. As a matter of accuracy, the date of the ROC and AOC should not be in the future. See also Can an Attestation of Compliance (AOC) be provided to an assessed entity before the Report on Compliance (ROC) is finalized?

July 2019
Article Number 1458

Related Articles

Can SAQ eligibility criteria be used for determining applicability of PCI DSS requirements for onsite assessments?

Can a partial PCI DSS assessment be documented in a Report on Compliance (ROC)?

Can an Attestation of Compliance (AOC) be provided to an assessed entity before the Report on Compliance (ROC) is finalized?

Do QSAs and ASVs need to send reports of compliance (ROCs) or scanning results to the PCI Security Standards Council directly?