After detailed discussions with community stakeholders, PCI SSC is discontinuing the Items Noted for Improvement (INFI) Worksheet, which was introduced with PCI DSS v4.0.
The decision to remove INFI from assessor practices was made with the agreement of the PCI Global Executive Assessor Roundtable and PCI Board of Advisors.
While many saw value in having a consistent template for documenting items for improvement, the existence of an INFI worksheet introduced business challenges that community members feel outweigh the benefits. The presence of a formal INFI template also led to misunderstandings resulting in it being used in ways other than as intended.
PCI SSC no longer requires QSAs to complete an INFI Worksheet for PCI DSS assessments. QSAs should continue to follow assessment best practices to determine whether a requirement should be considered in place, and document accordingly in their work papers and in the ROC.
For assessments where the INFI process has been used or is currently being used to determine that a requirement is in place, there is no need to change the assessment finding or re-document the information from an INFI worksheet into another format. QSAs should confirm whether the entity being assessed wishes to receive the INFI Worksheet as part of the assessment.
Note: During a PCI DSS assessment, there might be occasions where the assessor identifies PCI DSS requirements that are not fully in place or where the entity has had minor lapses in a security control. In these circumstances, once the assessor has verified whether the entity has implemented corrective action, has successfully performed the control in accordance with the requirement, and has processes in place to continue to meet the requirement, the assessor would use good judgement to determine whether a requirement is considered in place or not in place.