The New PCI INFI Worksheet

On June 28, 2023, the Payment Card Industry Security Standards Council (PCI SSC) published a new worksheet, “PCI DSS v4.x Items Noted for Improvement (INFI).” This document is to be completed for all v4.0 PCI Data Security Standard (PCI DSS) compliance assessments. If the assessed entity did not have items that were noted for improvement, the Qualified Security Assessor (QSA) must still complete the acknowledgment and attestation. If the QSA or assessed entity found that requirements were not consistently maintained, or if a control was not fully in place but the entity was able to address and correct the issues prior to completing the assessment, this worksheet needs to be filled out to document the requirement, the issue, who identified the issue, the cause of the failure, and the corrective and preventative actions taken by the assessed entity.

This worksheet is meant to remain as an internal document for the assessed entity and used as a tool to support continuous PCI DSS compliance. Though not required, this INFI worksheet can be used for PCI DSS v3.2.1 assessments.

The worksheet and supporting materials are linked below and can also be downloaded from the PCI SSC Document Library.

For more information about getting prepared for the changes ahead in the PCI DSS, and to learn how the Sikich PCI DSS 4.0 Jumpstart Program can help, reach out to our team of assessors.

This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.

About the Author