Items Noted for Improvement
If you’ve ever had your QSA find something that needed to be fixed before they would sign off on the AoC, this is the sort of thing you’ll now see in an INFI. When PCI DSS v4.0r1 was rolled out in December 2022 it removed “In Place with Remediation” and the PCI SSC flagged that something new would be coming in 2023.
That something new was released in June 2023 and is referred to as INFIs. An INFI is something that is noted as needing correction at the time of the assessment that the organisation then fixes.
Examples of the types of things that would be included in INFIs include but are not limited to:
- A few people who still need to complete their security awareness training
- A policy/standard that is missing something that’s required for PCI DSS or that’s missing entirely
- A network change that needs to be made because it was missed as part of a regular review process (for example, if the QSA is reviewing the firewall configuration and identifies a rule that is no longer needed or that increases the scope).
There are two new pieces of documentation you’re likely to see during an assessment:
- INFI Worksheet
- INFI Worksheet Acknowledgement and Attestation
The documents are required as part of any Report on Compliance and recommended as part of SAQs.
The worksheet outlines any of the findings where a control hasn’t been fully met. What this actually means is that a finding can be identified by either the QSA or the “Assessed Entity” (this just means the organisation that is being assessed).
The worksheet will only be completed if there are INFIs – if you’ve done everything to the letter for the last 12 months, you might never see this document!
As part of the worksheet, in order for the requirement to be met, the organisation needs to:
- Identify what caused the failure.
- Describe the corrective action(s) taken to fix the issue so that it is now in place.
- Describe the corrective action(s) taken by the entity to prevent the failure from reoccurring.
The key thing to note is that this is not a “get out of jail free” card – it is possible that there may still be controls that could be considered as “Not in Place”.
INFI Worksheet Acknowledgement & Attestation
Regardless of whether any INFIs were identified during the assessment, you will receive an acknowledgement form that includes your sign-off and acknowledgement that:
- The worksheet (as applicable) has been received,
- That the cause(s) of the failures have been addressed, and
- The corrective preventative actions have been implemented.
We recommend that this document is signed by the same person who would sign the Attestation of Compliance.