866.254.0000
Talk with a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
AI Services
View All Services
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Our Technology
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Our Technology
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Talk with a Specialist

«  View All Posts

The New PCI DSS INFI Worksheet: What You Need to Know Blog Feature
MATT CRANE

By: MATT CRANE

Print/Save as PDF

The New PCI DSS INFI Worksheet: What You Need to Know

Payment Card Assessments

In June 2023, the Payment Card Industry Security Standards Council (PCI SSC) released a new worksheet entitled “Items Noted for Improvement” (INFI)—while the Council encourages use of this worksheet for assessments based on earlier versions of PCI DSS, organizations undergoing a PCI DSS v4.0 assessment are required to use it.

Among all the other changes organizations are having to accommodate in PCI DSS v4.0, adjusting to the new INFI worksheet has now been added to the list. As experienced PCI DSS Qualified Security Assessors (QSAs), we’ve broken down various other aspects of this new version of the standard, and now we’re going to do the same with this worksheet.

In this article, we’ll break down the purpose of the INFI worksheet, what it contains, and what role it serves in your security and compliance processes so that you can more easily slot it into your established PCI DSS routine.

Why Was the PCI DSS INFI Worksheet Introduced?

In the original version of the PCI DSS v4.0, the Report on Compliance (ROC) included an option for an "in place with remediation” status. However, after soliciting and receiving feedback from PCI stakeholders, the PCI SSC determined that status should be removed, and it was in the December 2022 re-publication of the v4.0 ROC template.

But although the 'in place with remediation status' was removed, the PCI SSC and industry stakeholders agreed that a method to track and document remediation activities was still relevant and warranted, and thus the INFI worksheet was introduced.

What is the PCI DSS INFI Worksheet?

A simple document, the INFI worksheet includes the following information:

  • The PCI DSS requirement that is not being met
  • A description of the issue
  • Cause of the failure
  • Corrective action taken
  • Preventative action taken

Designed to help organizations identify and address areas needing improvement in their security posture on an ongoing basis, the INFI worksheet should be used to track any identified remediation items resulting from the assessment activities to support PCI DSS compliance.

Such remediation items could include (but are not limited to) items such as:

  • Improper segmentation
  • Unencrypted primary account numbers (PANs)
  • Missing periodic requirements such as internal vulnerability scans

Periodic requirements are one of the primary focuses of the worksheet, as reoccurring issues with periodic controls have become so common that the Council published an FAQ in August 2023.

(The FAQ uses missed ASV scans as its primary example for filling and completing an INFI worksheet, and not only does this new worksheet provide a method to track missed ASV scans year-over-year, but it also removes the burden of drafting a pointless compensating control for an activity that was missed in the past.)

Still, usage of this worksheet is not limited to periodic requirements—the INFI worksheet will aid you in tracking all remediation items and ensuring that they are completed promptly, making it a valuable new tool for organizations that are committed to maintaining strong security controls.

By using the INFI worksheet effectively, you’ll be better equipped to continuously improve your security posture and reduce the risk of a data breach—all of which will mean your customers’ data is better protected.

Further Considerations for the PCI DSS INFI Worksheet

To support such effective use of this worksheet, PCI SSC has published additional supporting materials, including FAQs for the INFI worksheet and guidance on the use of INFI and compensating controls.

Some other things to keep in mind regarding the PCI DSS INFI worksheet include:

  • The INFI worksheet is not referenced in the AOC or ROC.
  • The INFI worksheet is intended for internal use only—the PCI SSC does not require assessed entities to share it with third parties.
  • Although a final worksheet will be provided by your QSA at the conclusion of an assessment, the INFI worksheet should be treated as a living document.

Do You Have to Sign the INFI Worksheet to Get Your ROC or AOC?

All that being said, we’ve received a lot of questions about this worksheet as organizations have begun to adjust to its use in their PCI DSS compliance, but the most common one has been, “Do we have to sign this worksheet to get a ROC or AOC?”

The answer is no (though your QSA does). But even though you’re not required to sign the INFI worksheet—nor is it referenced in the ROC or the Attestation of Compliance—it’s still a valuable tool for tracking remediation items and ensuring that they are resolved quickly.

Learn More About PCI DSS v4.0 Compliance

The new PCI DSS v4.0 made a lot of changes to the flagship payment security standard, and the INFI worksheet represents just one of them. Intended to help with important remediation procedures, this new document will not only assist in ensuring more comprehensive PCI DSS compliance, but it’ll also strengthen your overall security.

For more breakdowns of other important updates that PCI DSS v4.0 introduced, we’ve written many different articles detailing them here:

We also feature articles targeted to specific organizations and what they should pay particular attention to with the new standard:

And if you have any further questions not addressed in these pieces—including any regarding the INFI worksheet—please contact us.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Ready delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.