Frequently Asked Question
What date should be used for “Date of Report” in the ROC?
Further, the ROC should not be considered complete until all reporting within the ROC is finalized, including completion of all internal quality assurance activities.
Note: Per the QSA Program Guide, the dates of the ROC and AOC cannot predate completion of the PCI DSS Assessment, and the date of the AOC cannot predate the corresponding ROC. As a matter of accuracy, the date of the ROC and AOC should not be in the future. See also Can an Attestation of Compliance (AOC) be provided to an assessed entity before the Report on Compliance (ROC) is finalized?