There are three ongoing steps for adhering to the PCI DSS:
Assess – identifying all locations of cardholder data, taking an inventory of your IT assets and business processes for payment card processing and analyzing them for vulnerabilities that could expose cardholder data.
Fix – fixing identified vulnerabilities, securely removing any unnecessary cardholder data storage, and implementing secure business processes.
Report – documenting assessment and remediation details, and submitting compliance reports to the acquiring bank and card brands you do business with (or other requesting entity if you’re a service provider).
Scope – determine which system components and networks are in scope for PCI DSS
Assess – examine the compliance of system components in scope following the testing procedures for each PCI DSS requirement
Report – Assessor and or entity completes required documentation (e.g. Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC)) including documentation of all compensating controls.
Attest – Complete the appropriate attestation of all Compliance.
Submit – submit the SAQ, ROC, AOC, and other requested supported documentation such as ASV scan reports.
Link to ROC template: https://www.pcisecuritystandards.org/documents/PCI-DSS-v3_2-ROC-Reporting-Template.pdf
Remediate – If required, perform remediation to address requirements that are not in place and provide an updated report.