FAQ Response
Further, the ROC should not be considered complete until all reporting within the ROC is finalized, including completion of all internal quality assurance activities.
Note: Per the QSA Program Guide, the dates of the ROC and AOC cannot predate completion of the PCI DSS Assessment, and the date of the AOC cannot predate the corresponding ROC. As a matter of accuracy, the date of the ROC and AOC should not be in the future. See also Can an Attestation of Compliance (AOC) be provided to an assessed entity before the Report on Compliance (ROC) is finalized?
July 2019
Article Number 1458