Skip to main content
Remindax
AI SmartDoc NEW Pricing

Login Signup Free
Document Tracking

Track your PCI DSS attestation and scan deadlines

PCI DSS compliance isn't a certificate you earn once — the attestation has to be renewed every year and vulnerability scans run every quarter. Remindax tracks every attestation and scan date and sends automated Email, SMS, and WhatsApp reminders before each, so your PCI validation never quietly lapses.

  • GDPR-ready
  • Forever-free plan
  • iOS & Android App
  • Trusted by 30,000+ teams
A card payment terminal beside a laptop tracking the annual PCI DSS attestation renewal and the quarterly ASV vulnerability-scan dates
PCI DSS has no certificate that visibly expires — it's an annual attestation plus quarterly scans that both have to keep coming.

PCI DSS compliance has no certificate on the wall counting down to an expiry date — which is exactly why it slips. Instead of one renewal, it's a rhythm: an annual attestation that says "we were compliant as of this date," and quarterly scans that have to keep coming in between. The attestation is good for about a year, so it has to be redone; the scans run roughly every ninety days, so there's always another one due.

Any business that takes card payments carries this cadence, and because nothing "expires" in the usual sense, it's easy to let the annual attestation drift or miss a quarterly scan — until an acquirer or a customer asks for current proof and there isn't any. Here's how PCI DSS validation actually works over a year, and how to keep every date in the cycle.

Section 01

1. What is PCI DSS compliance?

PCI DSS (the Payment Card Industry Data Security Standard) is the security standard that applies to any organization that stores, processes, or transmits payment-card data. Compliance is validated on a recurring basis — for most merchants through an annual Self-Assessment Questionnaire and an Attestation of Compliance, and for larger merchants through a Report on Compliance from a Qualified Security Assessor — with vulnerability scans in between. Remindax helps you track those attestation and scan dates and reminds you before each; it doesn't perform scans, assess your compliance, or act as a QSA.

Because PCI DSS rarely sits alone — most businesses that handle card data juggle it beside dozens of other renewals and audits — it slots naturally into broader compliance tracking software, where the attestation renewal and scan dates live in one register instead of scattered across inboxes, security tools, and calendars.

1.1 How it's validated

"Being PCI DSS compliant" isn't a single event — it's proven through a few recurring mechanisms, and which ones apply depends on your merchant level and acquirer. Keep these three straight and you know what your PCI year actually looks like.

Most merchants

SAQ + AoC

A Self-Assessment Questionnaire and an Attestation of Compliance — self-assessment and attestation, typically completed annually for many merchants.

Larger merchants

RoC

A Report on Compliance produced by a Qualified Security Assessor (QSA), for larger merchants and higher levels — the formal, assessor-led route to validation.

In between

ASV scans

External vulnerability scans run by an Approved Scanning Vendor, typically required quarterly — the recurring check that keeps running between annual attestations.

Section 02

2. How often do you validate PCI DSS compliance?

Quick answer — the PCI DSS cadence
Annual attestation

The SAQ/AoC (or RoC) is effectively valid for about one year and must be redone.

Quarterly ASV scans

External vulnerability scans run roughly every 90 days.

Between-assessment obligations

The standard requires ongoing controls, not just point-in-time proof.

Level-dependent

Exact requirements vary by merchant level and acquirer.

So PCI DSS is a cadence, not an expiry: one annual attestation plus four quarterly scans a year, repeating — and any of those dates can slip because none of them looks like a certificate running out. Exact requirements and scan frequency vary by merchant level and acquirer, so confirm your own obligations with your acquiring bank or QSA. Remindax tracks whatever attestation and scan dates apply to you and reminds you before each — it doesn't set the requirements or run the scans.

Section 03

3. Why tracking PCI DSS dates matters

PCI validation is tied directly to a business's ability to accept card payments — and it rests on a rhythm of dates that's easy to lose sight of precisely because nothing on it "expires." The four risks below all trace back to the same slipped attestation or missed scan, and each is avoidable with a reminder fired early enough to act.

3.1

The attestation must be renewed yearly

An AoC is effectively a one-year statement; let it lapse and you have no current proof of compliance when an acquirer or customer asks.

3.2

Quarterly scans can't gap

ASV scans run roughly every 90 days; a missed quarter breaks the continuity the standard expects.

3.3

Acquirers and customers require current proof

Payment processors and enterprise customers often require up-to-date PCI validation; a lapse can jeopardize the ability to process cards or win business.

3.4

It repeats forever

Unlike a one-time certificate, PCI validation recurs every year and every quarter — a permanent cadence that's easy to lose track of.

Section 04

4. Who needs to track PCI DSS dates

Anyone responsible for keeping card payments flowing has a PCI calendar to watch — from a single IT lead to a compliance team spanning several environments. Five roles feel it most:

Section 05

5. What happens when PCI DSS validation lapses

Because PCI DSS has no certificate that visibly expires, a lapse tends to surface at the worst moment — when an acquirer, a partner, or an enterprise customer asks for current proof of compliance and the most recent attestation is over a year old, or a quarterly scan is missing. At that point the business can face pressure from its payment processor, higher scrutiny, and the risk to the relationships that let it accept cards at all.

The deeper exposure is what the cadence exists to manage: a business that's stopped scanning quarterly or attesting annually has likely also drifted on the controls the standard requires, which is precisely the gap that leads to a breach — and the consequences of a breach involving card data are severe. None of this is triggered by a date on a certificate; it's triggered by a rhythm quietly falling out of step. Tracking the annual attestation and the quarterly scans keeps the proof current and the cadence intact.

⚠ A lapse surfaces when someone asks for proof — not on a due date

The dangerous assumption is that nothing can go wrong because nothing shows an expiry. But the gap surfaces when an acquirer or enterprise customer asks for current validation and the newest AoC is over a year old, or a quarterly scan is missing — often the first anyone hears of it. Watching the annual attestation and the quarterly scans, not a certificate date, is the only way to see the risk coming.

Section 06

6. How Remindax keeps your PCI cadence on schedule

Remindax was built for exactly this kind of date — recurring, easy to lose track of because nothing "expires," and costly to miss. It holds the whole PCI cadence and reminds the right people with time to act, funneling naturally into broader compliance tracking software once the attestation and scan dates are two of many things you're watching, and sitting alongside your other certificates and audits in certification tracking software. Four pieces work together:

🗂️

The whole cadence in one dashboard

The annual attestation (AoC/RoC) renewal and the quarterly ASV scan dates, with status at a glance — so the next date due is always in view.

🔔

Recurring reminders

Set the annual and quarterly cadence once and get staged alerts before each attestation and scan, by Email, SMS, and WhatsApp — to IT, security, and finance.

🔁

Quarterly by design

The ~90-day scan rhythm tracked automatically, so no quarter is skipped and the continuity the standard expects stays intact.

📑

Audit-ready records

Store the current AoC alongside its renewal date and export proof on request — for an acquirer, a partner, or an enterprise customer.

One honest limit

Remindax tracks the dates and reminds you — it doesn't run scans, assess your compliance, or act as a QSA. The scans are run by an Approved Scanning Vendor and the assessment is done by you or a QSA; Remindax makes sure the date to attest and scan never slips past you first.

Section 07

7. Why spreadsheets fail for PCI DSS tracking

PCI DSS is a cadence with no expiry date, which is exactly what a spreadsheet can't hold — there's no single renewal to key off, just an annual attestation and a quarterly scan that both have to keep recurring. A spreadsheet won't remind you the AoC is coming up on a year old, won't nudge you before the next quarterly scan, and won't keep the current attestation next to its renewal date for when an acquirer asks.

An automated, recurring system holds the annual and quarterly rhythm together and reminds the right people before each date — so the proof stays current and the cadence never quietly stops.

Manual spreadsheet
  • Has no single expiry to key off — so PCI never triggers a reminder
  • Won't warn you the AoC is coming up on a year old
  • Won't nudge you before the next quarterly ASV scan
  • Won't keep the current attestation beside its renewal date
  • Can't hold multiple client environments on parallel cadences
Automated tracking
  • Holds the annual attestation and quarterly scan as recurring dates
  • Staged alerts before each attestation renewal, with lead time to act
  • Tracks the ~90-day scan rhythm so no quarter is skipped
  • Keeps the current AoC next to its renewal date, ready to export
  • Reminds IT, security, and finance by Email, SMS, and WhatsApp
Section 08

8. Key takeaways

  • PCI DSS applies to any organization that handles payment-card data, and compliance is validated on a recurring basis.
  • It's a cadence, not a certificate: an annual attestation (SAQ/AoC or RoC) plus quarterly ASV scans.
  • The attestation is effectively good for a year and must be redone; the scans run roughly every 90 days.
  • A lapse surfaces when an acquirer or customer asks for current proof — and signals drift on the controls that prevent breaches.
  • Tracking the annual attestation and quarterly scans keeps proof current and the cadence intact.

Never let your PCI validation lapse

Track every attestation renewal and quarterly scan — automatically. Whether you handle PCI for one business or across many client environments, Remindax holds the whole cadence, watches each date, and reminds the right people well before it's due.

GDPR-ready · AWS secure cloud · Encrypted storage · Setup in under 5 minutes

Section 09

9. Frequently Asked Questions

PCI validation is recurring: the attestation (SAQ/AoC or RoC) is effectively valid for about a year and must be redone annually, with ASV vulnerability scans typically each quarter.

A document attesting to your PCI DSS compliance as of a point in time, typically completed annually alongside a Self-Assessment Questionnaire or Report on Compliance.

External ASV scans are typically required quarterly - roughly every 90 days - depending on your requirements.

There's no certificate with a printed expiry, but the attestation is effectively a one-year statement and the scans recur quarterly - so validation lapses if the cadence isn't maintained.

You may have no current proof when an acquirer or customer requests it, risking your payment relationships - and a stopped cadence often signals drift on the controls that prevent breaches.

No - Remindax tracks the attestation and scan dates and reminds you. Scans are run by an ASV and assessments by you or a QSA.

Yes - the annual attestation renewal and the quarterly scan cadence together, each with its own reminders.

Yes - a forever-free plan, no credit card required.