When it comes to PCI compliance, merchants and software vendors alike often make the mistake of viewing their compliance as a “checklist” rather than an ongoing process. Too many people assume that PCI compliance is achieved once. In reality, however, it is maintained, through vigilant adaptation to both PCI requirements and evolving security threats.

A closer look at PCI DSS requirements should make it quite clear that compliance is an ongoing exercise. For example, requirement 1 reads, “Install and maintain a firewall configuration to protect cardholder data.” Requirement 5 mandates that you “Use and regularly update anti-virus software.” Requirement 6 states that you “Develop and maintain secure systems and applications.” Requirement 11 implores that you “Regularly test security systems and processes.” And, of course, Requirement 12 states that you must “Maintain a policy that addresses information security.”

Clearly, five of the twelve PCI requirements explicitly mention either maintaining or updating, which should make it clear to all paying attention that there is no finality to PCI compliance.

In fact, any proclamation of “PCI compliance” is best viewed as a snapshot of compliance at a specific time. While merchants and software vendors are able to use a variety of means to test compliance at any given date, the truth remains that ongoing compliance requires both vigilance and, often, quarterly and yearly compliance assessments.

Merchants and software vendors must ensure that their processes, or their applications as the case may be, are PCI compliant. But how does one know if they are PCI compliant? What is PCI compliant? Well, the answer to those questions is slightly more complicated that it might seem.

Assuming that you have a good understanding of PCI compliance basics, and that you’ve moved beyond the “checklist” mentality, verifying your compliance involves understanding the ongoing nature of PCI compliance. At its root, PCI compliance is about securing data and, by that process, protecting cardholders/customers. For PCI standards to be effective, periodic re-evaluation and adaptation is imperative.

People sometimes forget that PCI compliance requirements apply to all “system components,” and that ongoing assessments, on both a quarterly and yearly basis, are mandatory for most merchants. This means, of course, that any change in hardware or software within your network must meet PCI requirements on an ongoing basis.

PCI compliance is dynamic, requiring ongoing adaptation. PCI compliance starts with a set of 12 basic requirements, it continues with vigilance and adaptation, and it ends with….well, it doesn’t end.