The New PCI DSS INFI Worksheet: What You Need to Know
In June 2023, the Payment Card Industry Security Standards Council (PCI SSC) released a new worksheet entitled “Items Noted for Improvement” (INFI)—while the Council encourages use of this worksheet for assessments based on earlier versions of PCI DSS, organizations undergoing a PCI DSS v4.0 assessment are required to use it.
Among all the other changes organizations are having to accommodate in PCI DSS v4.0, adjusting to the new INFI worksheet has now been added to the list. As experienced PCI DSS Qualified Security Assessors (QSAs), we’ve broken down various other aspects of this new version of the standard, and now we’re going to do the same with this worksheet.
In this article, we’ll break down the purpose of the INFI worksheet, what it contains, and what role it serves in your security and compliance processes so that you can more easily slot it into your established PCI DSS routine.
Why Was the PCI DSS INFI Worksheet Introduced?
In the original version of the PCI DSS v4.0, the Report on Compliance (ROC) included an option for an "in place with remediation” status. However, after soliciting and receiving feedback from PCI stakeholders, the PCI SSC determined that status should be removed, and it was in the December 2022 re-publication of the v4.0 ROC template.
But although the 'in place with remediation status' was removed, the PCI SSC and industry stakeholders agreed that a method to track and document remediation activities was still relevant and warranted, and thus the INFI worksheet was introduced.
What is the PCI DSS INFI Worksheet?
A simple document, the INFI worksheet includes the following information:
- The PCI DSS requirement that is not being met
- A description of the issue
- Cause of the failure
- Corrective action taken
- Preventative action taken
Designed to help organizations identify and address areas needing improvement in their security posture on an ongoing basis, the INFI worksheet should be used to track any identified remediation items resulting from the assessment activities to support PCI DSS compliance.
Such remediation items could include (but are not limited to) items such as:
- Improper segmentation
- Unencrypted primary account numbers (PANs)
- Missing periodic requirements such as internal vulnerability scans
Periodic requirements are one of the primary focuses of the worksheet, as reoccurring issues with periodic controls have become so common that the Council published an FAQ in August 2023.
(The FAQ uses missed ASV scans as its primary example for filling and completing an INFI worksheet, and not only does this new worksheet provide a method to track missed ASV scans year-over-year, but it also removes the burden of drafting a pointless compensating control for an activity that was missed in the past.)
Still, usage of this worksheet is not limited to periodic requirements—the INFI worksheet will aid you in tracking all remediation items and ensuring that they are completed promptly, making it a valuable new tool for organizations that are committed to maintaining strong security controls.
By using the INFI worksheet effectively, you’ll be better equipped to continuously improve your security posture and reduce the risk of a data breach—all of which will mean your customers’ data is better protected.
Further Considerations for the PCI DSS INFI Worksheet
To support such effective use of this worksheet, PCI SSC has published additional supporting materials, including FAQs for the INFI worksheet and guidance on the use of INFI and compensating controls.
Some other things to keep in mind regarding the PCI DSS INFI worksheet include:
- The INFI worksheet is not referenced in the AOC or ROC.
- The INFI worksheet is intended for internal use only—the PCI SSC does not require assessed entities to share it with third parties.
- Although a final worksheet will be provided by your QSA at the conclusion of an assessment, the INFI worksheet should be treated as a living document.
Do You Have to Sign the INFI Worksheet to Get Your ROC or AOC?
All that being said, we’ve received a lot of questions about this worksheet as organizations have begun to adjust to its use in their PCI DSS compliance, but the most common one has been, “Do we have to sign this worksheet to get a ROC or AOC?”
The answer is no (though your QSA does). But even though you’re not required to sign the INFI worksheet—nor is it referenced in the ROC or the Attestation of Compliance—it’s still a valuable tool for tracking remediation items and ensuring that they are resolved quickly.
Learn More About PCI DSS v4.0 Compliance
The new PCI DSS v4.0 made a lot of changes to the flagship payment security standard, and the INFI worksheet represents just one of them. Intended to help with important remediation procedures, this new document will not only assist in ensuring more comprehensive PCI DSS compliance, but it’ll also strengthen your overall security.
For more breakdowns of other important updates that PCI DSS v4.0 introduced, we’ve written many different articles detailing them here:
- How to Define Time in PCI DSS 4.0
- Decrypting Cryptographic Requirements in PCI DSS v4.0
- Factoring in Multi-Factor Authentication in PCI DSS v4.0
- How to Keep Legacy Systems Compliant Under PCI DSS v4.0
- Understanding the Updates to Risk Management in PCI DSS v4.0
- Scoping Out Scoping Requirements in PCI DSS v4.0
- What is PCI DSS v4.0 Requirement 11.4.4?
- Early Insight into a PCI DSS v4.0 Assessment
We also feature articles targeted to specific organizations and what they should pay particular attention to with the new standard:
- What Service Providers Should Know About PCI DSS v4.0
- What Banks Need to Know about PCI DSS v4.0
- How Payment Facilitators Can Manage Under PCI DSS v4.0
And if you have any further questions not addressed in these pieces—including any regarding the INFI worksheet—please contact us.