PCI DSS compliance has no certificate on the wall counting down to an expiry date — which is exactly why it slips. Instead of one renewal, it's a rhythm: an annual attestation that says "we were compliant as of this date," and quarterly scans that have to keep coming in between. The attestation is good for about a year, so it has to be redone; the scans run roughly every ninety days, so there's always another one due.
Any business that takes card payments carries this cadence, and because nothing "expires" in the usual sense, it's easy to let the annual attestation drift or miss a quarterly scan — until an acquirer or a customer asks for current proof and there isn't any. Here's how PCI DSS validation actually works over a year, and how to keep every date in the cycle.
1. What is PCI DSS compliance?
PCI DSS (the Payment Card Industry Data Security Standard) is the security standard that applies to any organization that stores, processes, or transmits payment-card data. Compliance is validated on a recurring basis — for most merchants through an annual Self-Assessment Questionnaire and an Attestation of Compliance, and for larger merchants through a Report on Compliance from a Qualified Security Assessor — with vulnerability scans in between. Remindax helps you track those attestation and scan dates and reminds you before each; it doesn't perform scans, assess your compliance, or act as a QSA.
Because PCI DSS rarely sits alone — most businesses that handle card data juggle it beside dozens of other renewals and audits — it slots naturally into broader compliance tracking software, where the attestation renewal and scan dates live in one register instead of scattered across inboxes, security tools, and calendars.
1.1 How it's validated
"Being PCI DSS compliant" isn't a single event — it's proven through a few recurring mechanisms, and which ones apply depends on your merchant level and acquirer. Keep these three straight and you know what your PCI year actually looks like.
SAQ + AoC
A Self-Assessment Questionnaire and an Attestation of Compliance — self-assessment and attestation, typically completed annually for many merchants.
RoC
A Report on Compliance produced by a Qualified Security Assessor (QSA), for larger merchants and higher levels — the formal, assessor-led route to validation.
ASV scans
External vulnerability scans run by an Approved Scanning Vendor, typically required quarterly — the recurring check that keeps running between annual attestations.
2. How often do you validate PCI DSS compliance?
The SAQ/AoC (or RoC) is effectively valid for about one year and must be redone.
External vulnerability scans run roughly every 90 days.
The standard requires ongoing controls, not just point-in-time proof.
Exact requirements vary by merchant level and acquirer.
So PCI DSS is a cadence, not an expiry: one annual attestation plus four quarterly scans a year, repeating — and any of those dates can slip because none of them looks like a certificate running out. Exact requirements and scan frequency vary by merchant level and acquirer, so confirm your own obligations with your acquiring bank or QSA. Remindax tracks whatever attestation and scan dates apply to you and reminds you before each — it doesn't set the requirements or run the scans.
3. Why tracking PCI DSS dates matters
PCI validation is tied directly to a business's ability to accept card payments — and it rests on a rhythm of dates that's easy to lose sight of precisely because nothing on it "expires." The four risks below all trace back to the same slipped attestation or missed scan, and each is avoidable with a reminder fired early enough to act.
The attestation must be renewed yearly
An AoC is effectively a one-year statement; let it lapse and you have no current proof of compliance when an acquirer or customer asks.
Quarterly scans can't gap
ASV scans run roughly every 90 days; a missed quarter breaks the continuity the standard expects.
Acquirers and customers require current proof
Payment processors and enterprise customers often require up-to-date PCI validation; a lapse can jeopardize the ability to process cards or win business.
It repeats forever
Unlike a one-time certificate, PCI validation recurs every year and every quarter — a permanent cadence that's easy to lose track of.
4. Who needs to track PCI DSS dates
Anyone responsible for keeping card payments flowing has a PCI calendar to watch — from a single IT lead to a compliance team spanning several environments. Five roles feel it most:
IT & security teams
The scan and attestation calendar for cardholder-data systems — the people who make sure the next ASV scan and the annual attestation are never a surprise.
Learn MoreFinance & payments teams
PCI validation tied to the ability to process card payments — the attestation an acquirer or processor expects to stay current.
Learn MoreCompliance teams
PCI alongside the organization's other obligations — one register where the attestation and scan dates sit beside every other compliance deadline.
Learn MoreE-commerce & SaaS businesses
Any business taking card payments online — where PCI validation is a condition of the payment relationship, not an optional extra.
Managed service providers
The PCI cadence across multiple client environments — several attestation renewals and scan schedules that all have to stay on track at once.
5. What happens when PCI DSS validation lapses
Because PCI DSS has no certificate that visibly expires, a lapse tends to surface at the worst moment — when an acquirer, a partner, or an enterprise customer asks for current proof of compliance and the most recent attestation is over a year old, or a quarterly scan is missing. At that point the business can face pressure from its payment processor, higher scrutiny, and the risk to the relationships that let it accept cards at all.
The deeper exposure is what the cadence exists to manage: a business that's stopped scanning quarterly or attesting annually has likely also drifted on the controls the standard requires, which is precisely the gap that leads to a breach — and the consequences of a breach involving card data are severe. None of this is triggered by a date on a certificate; it's triggered by a rhythm quietly falling out of step. Tracking the annual attestation and the quarterly scans keeps the proof current and the cadence intact.
The dangerous assumption is that nothing can go wrong because nothing shows an expiry. But the gap surfaces when an acquirer or enterprise customer asks for current validation and the newest AoC is over a year old, or a quarterly scan is missing — often the first anyone hears of it. Watching the annual attestation and the quarterly scans, not a certificate date, is the only way to see the risk coming.
6. How Remindax keeps your PCI cadence on schedule
Remindax was built for exactly this kind of date — recurring, easy to lose track of because nothing "expires," and costly to miss. It holds the whole PCI cadence and reminds the right people with time to act, funneling naturally into broader compliance tracking software once the attestation and scan dates are two of many things you're watching, and sitting alongside your other certificates and audits in certification tracking software. Four pieces work together:
The whole cadence in one dashboard
The annual attestation (AoC/RoC) renewal and the quarterly ASV scan dates, with status at a glance — so the next date due is always in view.
Recurring reminders
Set the annual and quarterly cadence once and get staged alerts before each attestation and scan, by Email, SMS, and WhatsApp — to IT, security, and finance.
Quarterly by design
The ~90-day scan rhythm tracked automatically, so no quarter is skipped and the continuity the standard expects stays intact.
Audit-ready records
Store the current AoC alongside its renewal date and export proof on request — for an acquirer, a partner, or an enterprise customer.
Remindax tracks the dates and reminds you — it doesn't run scans, assess your compliance, or act as a QSA. The scans are run by an Approved Scanning Vendor and the assessment is done by you or a QSA; Remindax makes sure the date to attest and scan never slips past you first.
7. Why spreadsheets fail for PCI DSS tracking
PCI DSS is a cadence with no expiry date, which is exactly what a spreadsheet can't hold — there's no single renewal to key off, just an annual attestation and a quarterly scan that both have to keep recurring. A spreadsheet won't remind you the AoC is coming up on a year old, won't nudge you before the next quarterly scan, and won't keep the current attestation next to its renewal date for when an acquirer asks.
An automated, recurring system holds the annual and quarterly rhythm together and reminds the right people before each date — so the proof stays current and the cadence never quietly stops.
- ✗Has no single expiry to key off — so PCI never triggers a reminder
- ✗Won't warn you the AoC is coming up on a year old
- ✗Won't nudge you before the next quarterly ASV scan
- ✗Won't keep the current attestation beside its renewal date
- ✗Can't hold multiple client environments on parallel cadences
- ✓Holds the annual attestation and quarterly scan as recurring dates
- ✓Staged alerts before each attestation renewal, with lead time to act
- ✓Tracks the ~90-day scan rhythm so no quarter is skipped
- ✓Keeps the current AoC next to its renewal date, ready to export
- ✓Reminds IT, security, and finance by Email, SMS, and WhatsApp
8. Key takeaways
- ✓PCI DSS applies to any organization that handles payment-card data, and compliance is validated on a recurring basis.
- ✓It's a cadence, not a certificate: an annual attestation (SAQ/AoC or RoC) plus quarterly ASV scans.
- ✓The attestation is effectively good for a year and must be redone; the scans run roughly every 90 days.
- ✓A lapse surfaces when an acquirer or customer asks for current proof — and signals drift on the controls that prevent breaches.
- ✓Tracking the annual attestation and quarterly scans keeps proof current and the cadence intact.
Never let your PCI validation lapse
Track every attestation renewal and quarterly scan — automatically. Whether you handle PCI for one business or across many client environments, Remindax holds the whole cadence, watches each date, and reminds the right people well before it's due.
GDPR-ready · AWS secure cloud · Encrypted storage · Setup in under 5 minutes
9. Frequently Asked Questions
PCI validation is recurring: the attestation (SAQ/AoC or RoC) is effectively valid for about a year and must be redone annually, with ASV vulnerability scans typically each quarter.
A document attesting to your PCI DSS compliance as of a point in time, typically completed annually alongside a Self-Assessment Questionnaire or Report on Compliance.
External ASV scans are typically required quarterly - roughly every 90 days - depending on your requirements.
There's no certificate with a printed expiry, but the attestation is effectively a one-year statement and the scans recur quarterly - so validation lapses if the cadence isn't maintained.
You may have no current proof when an acquirer or customer requests it, risking your payment relationships - and a stopped cadence often signals drift on the controls that prevent breaches.
No - Remindax tracks the attestation and scan dates and reminds you. Scans are run by an ASV and assessments by you or a QSA.
Yes - the annual attestation renewal and the quarterly scan cadence together, each with its own reminders.
Yes - a forever-free plan, no credit card required.