PCI Watch

Tracking changes across the Payment Card Industry
FAQs » FAQ #1176 » Versions » Diff

Diff: FAQ #1176

How does an organization maintain compliance when a standard changes?

Earlier Version
Later Version
Removed
Added
PCI SSC updates its standards to address changes in payment industry threats, risks, and best practices.  To minimizeensure organizations have enough time to transition to a new standard, the previous version will remain active for a period of time (typically between 12 and 18 months) after a major version of a standard is published.  The period of time will depend on factors such as the volume of changes toin a standard and the impact to stakeholders.  This ensures a gradual, phased introduction of any updated requirements, and helps to prevent organizations from becoming noncompliant when changes are published.  To ensure that organizations can maintain compliance with updated versions of the standards, the PCI Security Standards Council (PCI SSC) has established a lifecycle approach for PCI DSS and PA-DSS, where major version changes to the standardsnew requirements may also be phased in with future effective dates.  Future-dated requirements are considered best practices until the future date is reached, after which those requirements will occur every 3 years (for example, an update from version 2.0 to version 3.0). To ensure organizations have enough time to transition to a new standard without falling out of compliance, the previous version will remain active for 14 months after a major version of the standard is published. This ensures a gradual, phased introduction of any updated requirements, and helps to prevent organizations from becoming noncompliant when changes are published. The 3-year standards lifecycle also allows for changes ?out-of-cycle? as needed to address critical issues or errata. To ensure that organizations can maintain compliance with updated versions of the standards, new requirements may be phased in with future effective dates.and applicable.

Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.