Once an organisation has achieved compliance with the PCI DSS, it must maintain its level of compliance. This, of course, means making oneself aware of any changes to the PCI DSS itself (the latest version was released in April 2016), as well as maintaining the PCI DSS security environment.
The PCI SSC makes the point this way: technically, it is true that, if you’ve completed a Self-Assessment Questionnaire (SAQ), you’re compliant – ‘for that particular moment in time when the Self-Assessment Questionnaire and associated vulnerability scan (if applicable) is completed. After that moment, only a post-breach forensic analysis can prove PCI compliance. But a bad system change can make you non-compliant in an instant. True security of cardholder data requires non-stop assessment and remediation to ensure that likelihood of a breach is kept as low as possible.’1
Version 3.2 of the PCI DSS now incorporates the requirements for designated entities supplemental validation (DESV) as an appendix in the Standard called Appendix A3. Although the DESV/Appendix A3 is for those entities that have been designated, the PCI SSC recommends2 that the controls can be used to complement any entity’s PCI DSS compliance efforts, and all entities are encouraged to follow them as a best practice, even if they are not required to validate.
_____________
1 www.pcisecuritystandards.org/documents/pciscc_ten_common_myths.pdf (Myth 8).
3.15.4.251