Frequently Asked Question

How does an organization maintain compliance when a standard changes?

PCI SSC updates its standards to address changes in payment industry threats, risks, and best practices.  To ensure organizations have enough time to transition to a new standard, the previous version will remain active for a period of time (typically between 12 and 18 months) after a major version of a standard is published.  The period of time will depend on factors such as the volume of changes in a standard and the impact to stakeholders.  This ensures a gradual, phased introduction of any updated requirements, and helps to prevent organizations from becoming noncompliant when changes are published.  To ensure that organizations can maintain compliance with updated versions of the standards, new requirements may also be phased in with future effective dates.  Future-dated requirements are considered best practices until the future date is reached, after which those requirements will be effective and applicable.
Last updated: August 2021
Originally published: November 2012
Article Number: 1176

Featured FAQ Articles