The acquiring bank typically provides or approves a short list of PFIs from the PCI SSC qualified list. The entity selects from that list, often with input from outside counsel for privilege considerations. The entity's QSA cannot serve as the PFI.

What does a PFI investigation produce?

A formal PFI report covering forensic acquisition, compromise scope, exposed accounts, compromise timeline, attack vectors, and the PCI DSS compliance state at time of compromise. The report goes to the entity, the acquiring bank, and the card brands.

Is a PFI report privileged?

PFI reports are submitted to card brands and acquiring banks and are not typically privileged from those recipients. Privilege between the entity and other parties can sometimes be preserved if the PFI is engaged through counsel, but the obligation to share with card brands cannot be defeated by privilege.

PFI - PCI Forensic Investigator

Q: What is a PCI Forensic Investigator?

A PFI is an organization qualified by the PCI Security Standards Council to perform forensic investigations following confirmed or suspected compromises of payment card data. PFI engagement is required by card brand notification processes.

Q: When is a PFI engagement required?

When a merchant or service provider experiences a confirmed or strongly suspected cardholder data compromise, the acquiring bank or card brand typically requires a PFI engagement, often within 24 to 48 hours of notification.

A PCI Forensic Investigator (PFI) is an organization qualified by the PCI Security Standards Council to perform forensic investigations following confirmed or suspected compromises of payment card data. PFI engagement is typically required by the card brand notification process when a merchant or service provider experiences a cardholder data compromise; the acquiring bank or card brand directs the engagement.

Source: PCI SSC PFI program page. PFI requirements are defined in the PFI Qualification Requirements published by the PCI SSC.

When PFI Engagement Is Required

Card brand notification processes (Visa AIRS, Mastercard ADC, American Express EIRP, Discover DISC, JCB) typically require a PFI engagement once a cardholder data compromise is confirmed or strongly suspected. The acquiring bank directs the entity to select a PFI from the PCI SSC list, often within 24 to 48 hours of the brand notification.

What a PFI Investigation Covers

Forensic acquisition and preservation of affected systems
Determination of compromise scope: systems, accounts, cardholder data exposed
Determination of the compromise timeline (window of exposure)
Analysis of attack vectors and adversary techniques
Assessment of PCI DSS compliance state at time of compromise
Final PFI report to the entity, acquiring bank, and card brands

PFI Selection and Independence

PFIs must remain independent from the entity under investigation. A QSA (Qualified Security Assessor) that performed the entity's compliance assessment cannot serve as the PFI for that entity. Selection is typically from a short list provided or approved by the acquiring bank, and the engagement letter goes through counsel where privilege is desired.

Coordinate PFI engagement and reporting

IR-OS supports PFI engagement workflows, evidence preservation, and the defensible record card brands and acquirers expect.

Start free

PFI - PCI Forensic Investigator

When PFI Engagement Is Required

What a PFI Investigation Covers

PFI Selection and Independence

Related Terms

Coordinate PFI engagement and reporting