CHAPTER 6: MAINTAINING COMPLIANCE
Once an organisation has achieved compliance with the PCI DSS, it must maintain its level of compliance. This, of course, means making oneself aware of any changes to the PCI DSS itself (the latest version was released in April 2015), as well as maintaining the PCI DSS security environment.
The PCI SSC makes the point this way: technically, it is true that, if you’ve completed a Self-Assessment Questionnaire (SAQ), you’re compliant – ‘for that particular moment in time when the Self-Assessment Questionnaire and associated vulnerability scan (if applicable) is completed. After that moment, only a post-breach forensic analysis can prove PCI compliance. But a bad system change can make you non-compliant in an instant. True security of cardholder data requires non-stop assessment and remediation to ensure that likelihood of a breach is kept as low as possible.’1
Version 3.1 of the PCI DSS helps organisations with true security by adding more flexibility and guidance for integrating card security into their business-as-usual activities.
Although the DESV is for those entities that have been designated, the PCI SSC recommends2 that the DESV can be used to complement any entity’s PCI DSS compliance efforts, and all entities are encouraged to follow the DESV as a best practice, even if they are not required to validate.
1 www.pcisecuritystandards.org/documents/pciscc_ten_common_myths.pdf (Myth 8).