The PCI Security Standards Council (PCI SSC) has published notable updates to its PCI Forensic Investigator (PFI) Program, including changes to its supporting documentation, Addendum to Qualified Security Assessor Agreement for PCI Forensic Investigators, and reporting templates. PCI Forensic Investigators are qualified by the Council and must work for a Qualified Security Assessor company that provides a dedicated forensic investigation practice. PFIs help determine the occurrence of a cardholder data compromise, and when and how it may have occurred, using proven investigative methodologies and tools.
"The updates we made to the PFI Program are vastly the result of PFI community feedback we have received over the past year,” said Mark Mrotek, Director of Certification Programs, PCI SSC." We believe these changes will be helpful to maintain the value of the Program for our PFI community and stakeholders. We appreciate all the feedback and support provided by the PFI community to help us improve the Program.”
Among the most notable changes to the Program are updated PFI Program Documents, featuring more flexible Independence Requirements. Some of the changes include the following:
- PFI Independence Requirements have been replaced with succinct “PFI must…” statements for each 1) PFI Company, 2) PFI Employee, and 3) per-case independence attestation (in the report templates)
- PFI Independence Requirements also to reference QSA Independence Requirements (to which PFIs are obligated)
- PFI attests on a per-case basis, and discloses any perceived or actual conflicts of interest/independence in each PFI Report (i.e., Preliminary and Final reports)
- Developed “PFI Independence Case Examples” as Appendix E of the PFI Qualification Requirements
Other material changes to the PFI Program include:
- Pricing Structure for Regions: Significantly reduced pricing across all regions
- PFI Community Calls: Reduced cadence from quarterly to semi-annual beginning this year
- Annual PFI Information Exchange: Format is changing to a virtual-only event with optional attendance for PFI employees – no more mandatory, in-person requirement for PFIs
- New PCI SSC Knowledge Training Benefit: Two vouchers offered annually for each PFI Company to use as they see fit
- New PFI Collaboration Portal: Up and running since April 2024 for PFIs to chat amongst themselves and share ideas as well as new threats being seen in merchant environments; all communications to, from, and within the space are encrypted and access controlled to qualified PFIs only
- Simplified PFI Company Listing: Updated and standardized the “Place of Business” field to match PFI Company's “Regions” listing. This change comes from feedback from various stakeholders and will make it easier for the public to find a PFI
- Minor Update to the Addendum to Qualified Security Assessor Agreement for PCI Forensic Investigators (“PFI Agreement”): Clarified Subcontractor and Subject Matter Expert (SME) requirements to permit only PFI Companies in Good Standing to subcontract in a PFI investigation