As the world transitions to PCI DSS v4.0, both enterprises and assessors are adjusting their operational strategies to meet the new requirements. Although the primary focus remains on implementing essential controls, PCI DSS v4.0 introduces a more customized approach. It aims to offer organizations the chance to enhance their overall capacity to securely store, process, or transmit cardholder data. A significant element reflecting these updated compliance requirements is the ‘Items Noted for Future Improvement‘ worksheet, also known as INFI.
The PCI DSS Council promotes the INFI worksheet as a tool to:
The INFI will empower organizations to not only secure cardholder data more effectively but also to pinpoint and address potential vulnerabilities before they become critical.
Traditionally, two frequent occurrences during evaluations are identified by assessors:
1. Practices that, although compliant with PCI DSS requirements, could benefit from enhancement.
2. A control that’s inadequately implemented but the organization rectifies before assessment completion, resulting in a “Compliant” status.
In all cases, an assessor would commonly create a note, an e-mail, or perhaps a presentation to distribute to the identified activity or poorly implemented control.
INFI will formalize these notes, e-mails, or presentations and create a log available for the organization to retain and future assessors to use to better understand the journey. The INFI worksheet will be completed by the Qualified Security Assessor (QSA) conducting the assessment to capture this information and will be recorded along with an attestation by the assessor. This will be submitted to the assessed entity and retained by the QSA or their company.
The INFI worksheet, if properly endorsed by an organization, will capture areas for future improvement and form the backbone of continuous improvement work relating to payment card activity for the upcoming year.
CSA has identified a few examples that highlight the importance of INFI:
Scenario 1: An organization identified that one of their quarterly Approved Scanning Vendor (ASV) scans has been performed against an incorrect scope. This may have been a procedural error due to the scope not being updated following the introduction of new assets into the environment. Scans since this event have all been performed against the correct scope and passed successfully, mitigating any immediate concerns. However, as a procedural error has been identified, the organization will benefit from this being recorded, and the journey to ensure this does not occur again may provide vital evidence in future assessments of continuous improvement.
Scenario 2: A small number of accounts have remained on Active Directory beyond the time stipulated on relevant policies for routine housekeeping to revoke/disable and remove accounts when an employee leaves. However, they are removed prior to the end of the assessment. It is understood that the most recent management check did not take place due to other work being considered a priority. The INFI worksheet records the event and the activity to overcome the issue and provides evidence to management and stakeholders to support measures required to ensure this does not happen again.
Scenario 3: An employee in a major high street café chain explains that they have never inspected a Point of Sale (POS) device for evidence of tampering and has never received security training. However, the other employees in the sample displayed the correct level of awareness, leading the assessor to the conclusion that this employee had ‘slipped the net’ due to unknown circumstances. Future assessments may benefit from a slightly larger sampling to increase the possibility of identifying more instances of this, perhaps even identifying a trend or root cause. To communicate this, the INFI worksheet will provide a report that future assessors will review and use in their planning for future assessments.
The PCI Council stresses that this should be an internal document, between the assessor and the entity/organization. Designed to help an organization better understand its security posture and work toward improvement. Additionally, whilst this has been introduced as a requirement for all assessments conducted against PCI DSS v4.0, it is also encouraged for any assessments, including those completed now against v3.2.1.
QSAs conducting assessments will be required to complete the INFI worksheet for every assessment, even where nothing has been identified. In addition, organizations will be required to countersign the document, which will form part of the assessor’s work papers and be held as evidence with all documentation provided by the organization.
The PCI Council has provided a table delineating the definitions of each heading in the INFI Worksheet. These definitions serve as an invaluable foundation for establishing organizational processes and shaping future operational strategies.
INFI Worksheet Column Heading | Description of Information Required |
Requirement # | PCI DSS Requirement number. |
Issue Identified by | Indicate whether the entity or the assessor identified the need for corrective action. |
Description of Issue | Which aspect(s) of the requirement was noted as needing corrective action? For example, describe which controls or processes were not properly implemented or were not applied to all in-scope system components. Identify the affected components and the period of time that the controls were not implemented. |
Cause of Failure | What caused the failure that resulted in the need for corrective action? For example, describe what caused the control or process to not be properly implemented or to not be applied to all in-scope system components. |
Corrective Action Taken | Describe the corrective action(s) taken by the entity that resulted in the requirement being In Place. For example, which actions were performed by the entity that resulted in the control or process being properly documented and implemented and applied to all in-scope system components. |
Preventative Action Taken | Describe the actions taken by the entity to help prevent the reoccurrence of the failure. For example, which controls/processes the entity documented and implemented to address the cause(s) of the failures and provide assurance that the requirement will continue to be properly implemented and applied to all in-scope system components. |
Source: PCI Security Standards Council
As PCI DSS continues to evolve, tools like INFI become crucial in ensuring organizations stay ahead of the curve, addressing potential weak points before they escalate. Leveraging these tools will ensure not only compliance but also a more robust, secure infrastructure.