On June 28, 2023, the Payment Card Industry Security Standards Council (PCI SSC) published a new worksheet, “PCI DSS v4.x Items Noted for Improvement (INFI).” This document is to be completed for all v4.0 PCI Data Security Standard (PCI DSS) compliance assessments. If the assessed entity did not have items that were noted for improvement, the Qualified Security Assessor (QSA) must still complete the acknowledgment and attestation. If the QSA or assessed entity found that requirements were not consistently maintained, or if a control was not fully in place but the entity was able to address and correct the issues prior to completing the assessment, this worksheet needs to be filled out to document the requirement, the issue, who identified the issue, the cause of the failure, and the corrective and preventative actions taken by the assessed entity.
This worksheet is meant to remain as an internal document for the assessed entity and used as a tool to support continuous PCI DSS compliance. Though not required, this INFI worksheet can be used for PCI DSS v3.2.1 assessments.
The worksheet and supporting materials are linked below and can also be downloaded from the PCI SSC Document Library.
For more information about getting prepared for the changes ahead in the PCI DSS, and to learn how the Sikich PCI DSS 4.0 Jumpstart Program can help, reach out to our team of assessors.