Although the PCI SSC has no lawful authority to compel compliance, It is just a requirement for any business that processes credit history or debit card transactions. The timeline for this could be a couple of months to a couple months based on how the resources and funds is allocated https://bestcybersecurityconsulting.com/blogs/top-cybersecurity-experts-protect-your-business-from-threats-today/
