Frequently Asked Questions

< Back to search page

How does an organization maintain compliance when a standard changes?

FAQ Response

To minimize changes to the standards, the PCI Security Standards Council (PCI SSC) has established a lifecycle approach for PCI DSS and PA-DSS, where major version changes to the standards will occur every 3 years (for example, an update from version 2.0 to version 3.0). To ensure organizations have enough time to transition to a new standard without falling out of compliance, the previous version will remain active for 14 months after a  major version of the standard is published. This ensures a gradual, phased introduction of any updated requirements, and helps to prevent organizations from becoming noncompliant when changes are published. The 3-year standards lifecycle also allows for changes “out-of-cycle” as needed to address critical issues or errata. To ensure that organizations can maintain compliance with updated versions of the standards, new requirements may be phased in with future effective dates.

February 2008
Article Number 1176