The PCI Security Standards Council (PCI SSC) has brought to light significant upgrades to its PCI Forensic Investigator (PFI) Program, incorporating modifications to its supporting paperwork, Addendum to Qualified Security Assessor Agreement for PCI Forensic Investigators, and report templates. PCI Forensic Investigators are certified by the Council and are required to be employed by a Qualified Security Assessor organization that delivers specialized forensic investigation services. PFIs play a vital role in identifying instances of a cardholder data breach, analyzing when and how it transpired, employing established investigative techniques and tools.
“The alterations made to the PFI Program largely stem from the feedback received from the PFI community over the preceding year,” mentioned Mark Mrotek, Director of Certification Programs, PCI SSC.” We trust that these adjustments will prove beneficial in upholding the Program’s value for our PFI community and stakeholders. We are grateful for all the insights and assistance provided by the PFI community in aiding us to enhance the Program.”
Among the primary adjustments in the Program are the revised PFI Program Documents, incorporating more adaptable Independence Requirements. Some of the alterations consist of the following:
- Substitution of PFI Independence Requirements with concise “PFI must…” directives for each 1) PFI Company, 2) PFI Employee, and 3) per-case independence attestation (found in the report templates)
- Inclusion of references to QSA Independence Requirements in PFI Independence Requirements (which PFIs are bound by)
- PFI is required to declare on a per-case basis, revealing any perceived or actual conflicts of interest/independence in each PFI Report (e.g., in Preliminary and Final reports)
- Introduction of “PFI Independence Case Examples” as Appendix E of the PFI Qualification Requirements
Other significant modifications to the PFI Program entail:
- Regional Pricing Structure: Considerably lowered pricing across all regions
- PFI Community Calls: Decreased frequency from quarterly to biannual commencing this year
- Annual PFI Information Exchange: The format will transition to a virtual-only event with the option for PFI employees to attend – eliminating the mandatory in-person requirement for PFIs
- New PCI SSC Knowledge Training Benefit: Two vouchers provided annually for each PFI Company to utilize at their discretion
- New PFI Collaboration Portal: Operational since April 2024, enabling PFIs to interact among themselves, exchange ideas, and discuss emerging threats observed in merchant environments; all communications within the space are encrypted and accessible only to qualified PFIs
- Streamlined PFI Company Listing: Updated and standardized the “Place of Business” field to correspond with the PFI Company’s “Regions” listing. This alteration is a response to feedback from diverse stakeholders, facilitating easier access for the public to locate a PFI
- Minor Amendment to the Addendum to Qualified Security Assessor Agreement for PCI Forensic Investigators (“PFI Agreement”): Enhanced clarity on Subcontractor and Subject Matter Expert (SME) requirements, permitting solely PFI Companies in Good Standing to engage in subcontracting for a PFI investigation
About Author
