In June 2023, the PCI Security Standards Council introduced a new document that you’ll need to know about called “Items Noted for Improvement” which is a worksheet and attestation form you’ll start seeing as part of your version 4 assessments. But when this was released we realised that this was a good opportunity to demystify the differences between:

  • Defined Testing (DT)
  • Customised Approach (CA)
  • Compensating Controls (CCWs)
  • Items Noted for Improvements (INFIs)

Most assessments will include defined testing and INFIs. Some assessments will include compensating controls, and we expect that very few organisations will complete the work required to use the customised approach.

In this post, we will go over some of the basic features of each of these items and help you understand how each can be used and when they should be used.

Defined Testing

When we talk about defined testing, we are talking about the requirements and testing procedures that are part of PCI DSS. These testing procedures have been defined by the PCI SSC for how they expect each of the requirements to be tested. This is your “classic” PCI DSS requirement.

Defined tests can have a few different findings:

  • In Place
  • In Place with CCW
  • Not Applicable
  • Not in Place

In the original release of PCI DSS v4.0, there was a new finding called “In Place with Remediation”. That’s no longer a finding, but it’s successor is the INFI.

You’ll also see that there’s a reference to Compensating Controls.

There’s no reference to the Customised Approach because this is a change in how the testing is done rather than how the results are reported.

Customised Approach

The Customised Approach is new to PCI DSS v4.0. This gives organisations the opportunity to approach the PCI DSS requirements in a different way by using the objective.

But there are a few caveats to this that the PCI SSC calls out which are also the reasons why we don’t expect to see the Customised Approach used too often.

  • It can only be used if you are completing a Report on Compliance (RoC) – you cannot use it with a Self-Assessment Questionnaire (SAQ).
  • The controls that are implemented must meet or exceed the security provided by the requirement in the defined approach.
  • The amount of documentation and effort required to validate the customised approach will be greater than what’s required for the defined approach.
  • It is intended only for risk-mature entities with a “robust risk-management approach to security, including but not limited to, a dedicated risk-management department or an organisation-wide risk management approach”

There are also some requirements that the Customised Approach cannot be used for.

If you meet the criteria for considering using the Customised Approach, then you’ll need to complete:

  • Risk assessment annually for each customised approach used
  • Controls Matrix based on Appendix E1
  • Targeted risk analysis based on Appendix E2

That long with evidence of the validation of the customised approach is provided to the QSA who in turn develops their own testing and validation procedures. And at the end of the day, there could be things that could derail the custom approach if your compliance-accepting entity (usually the acquiring bank or the card schemes) pushes back.

Compensating Controls

Compensating controls (CCWs) have been around for a long time. Compensating controls are meant to be used as a proactive way to meet a requirement when you cannot meet the requirement. But there are a few things that need to be in place to use a compensating control:

  • You must have a business or technical constraint for why you cannot meet the requirement (not wanting to is not a valid business or technical constraint)
  • You must go “above and beyond” the original PCI DSS requirement
  • You cannot use a control that is already applicable to the technology as a compensating control (for example, if the system already requires MFA, you can’t use MFA as a compensating control).

The important thing to note is that compensating controls are meant to be proactive. It is not something that should be used as a reaction or remediation activity for a historical failure. A compensating control is a “proactive development of mitigating actions”.

A Compensating Control can never be used with the Customised Approach.

Items Noted for Improvement

If you’ve ever had your QSA find something that needed to be fixed before they would sign off on the AoC, this is the sort of thing you’ll now see in an INFI. When PCI DSS v4.0r1 was rolled out in December 2022 it removed “In Place with Remediation” and the PCI SSC flagged that something new would be coming in 2023.

That something new was released in June 2023 and is referred to as INFIs. An INFI is something that is noted as needing correction at the time of the assessment that the organisation then fixes.

Examples of the types of things that would be included in INFIs include but are not limited to:

  • A few people who still need to complete their security awareness training
  • A policy/standard that is missing something that’s required for PCI DSS or that’s missing entirely
  • A network change that needs to be made because it was missed as part of a regular review process (for example, if the QSA is reviewing the firewall configuration and identifies a rule that is no longer needed or that increases the scope).

There are two new pieces of documentation you’re likely to see during an assessment:

  • INFI Worksheet
  • INFI Worksheet Acknowledgement and Attestation

The documents are required as part of any Report on Compliance and recommended as part of SAQs.

INFI Worksheet

The worksheet outlines any of the findings where a control hasn’t been fully met. What this actually means is that a finding can be identified by either the QSA or the “Assessed Entity” (this just means the organisation that is being assessed).

The worksheet will only be completed if there are INFIs – if you’ve done everything to the letter for the last 12 months, you might never see this document!

As part of the worksheet, in order for the requirement to be met, the organisation needs to:

  • Identify what caused the failure.
  • Describe the corrective action(s) taken to fix the issue so that it is now in place.
  • Describe the corrective action(s) taken by the entity to prevent the failure from reoccurring.

The key thing to note is that this is not a “get out of jail free” card – it is possible that there may still be controls that could be considered as “Not in Place”.

INFI Worksheet Acknowledgement & Attestation

Regardless of whether any INFIs were identified during the assessment, you will receive an acknowledgement form that includes your sign-off and acknowledgement that:

  • The worksheet (as applicable) has been received,
  • That the cause(s) of the failures have been addressed, and
  • The corrective preventative actions have been implemented.

We recommend that this document is signed by the same person who would sign the Attestation of Compliance.

Can You Combine These?

At this stage (July 2023), we know there are some reporting approaches that can be combined and others that cannot. We think that INFIs will span the breadth of testing procedures because there could be a control failure as part of a compensating control or the customised approach. But if this changes, we will update the information.

Defined Test Custom Approach Compensating Control INFI
Defined Test Yes Yes Yes
Custom Approach Yes No Yes?
Compensating Control Yes No Yes?
INFI Yes Yes? Yes?

Summary

To summarise the information provided above, we’ve put some of the key information into the table below. You can use this to work out what might be right for you to use in your assessments.

Defined Approach Custom Approach Compensating Control INFI
Who Identifies? PCI SSC Assessed Entity Assessed Entity Assessed Entity OR QSA
How Common? Very Common Very Rare Common Almost Every Assessment
Purpose
Sets out the expected testing and requirements for PCI DSS.
Allows an organisation to meet a PCI DSS requirement in a way that does not strictly follow the defined requirement.
Allows an organisation with a business or technical constraint to meet the requirement by implementing controls that go above and beyond the original control.
Identifies one or more items that require corrective action before the assessment is complete before the requirement can be considered in place.
Proactive or Reactive? Proactive Proactive Proactive Reactive
Level of Maturity Required Basic Very Mature Basic Basic
Short or Long Term? Ongoing Likely Long Term Short or Long – Depends on Constraint Short Term + Long Term Remediation to prevent recurrence
Assessment Types Applicable ROC

SAQ

ROC ROC

SAQ

ROC

SAQ (Recommended)

Key PCI Document(s) PCI DSS v4.0 PCI DSS v4.0

Appendix D (PCI DSS v4.0)

Appendix E (PCI DSS v4.0)

PCI DSS v4.0

Appendix C (ROC)

Appendix B (SAQ)

INFI Instructions & Worksheet

Need Help?

If you need help developing your compensating controls or custom approaches or just validating your PCI DSS compliance, talk to us to see how we can help you. We can help demystify PCI DSS.