PCI Forensic Investigator (PFI) Program

Requirements
PCI PFI List
Fees
How to Apply
PFI FAQs

The PCI Forensic Investigator (PFI) program establishes and maintains rules and requirements regarding eligibility, selection and performance of companies that provide forensic investigation services to ensure they meet PCI Security Standards. The PFI program aims to help simplify and expedite procedures for approving and engaging forensic investigators by:

• Providing a single set of requirements for forensic investigators upon which market participants may align
• Maintaining a list of Council-approved forensic investigators for compromised entities to choose from
• Providing guidance on how investigations are to be conducted and reported

The PCI PFI program officially launches on March 1, 2011, to coincide with the retirement of requirements and lists managed by payment card brands.

Eligible PFI candidates must be recognized as a QSA Company. It is imperative that forensic investigators involved in this program completely understand the PCI DSS and its intended application within the cardholder data environment.

The Supplemental Requirements document provides details on criteria that each PFI candidate company is required to meet including:

• The existence of a dedicated forensic investigation practice within your company
• Staff with the necessary backgrounds and skills
• Experience performing investigations within the financial industry using proven investigative methodologies & tools; and
• Relationships with law enforcement to ensure you can support any resulting criminal investigations

The Council will maintain a list of approved PCI Forensic Investigators to replace the individual payment card brand lists as of March 1, 2011. View the list of approved PCI Forensic Investigators.

Initial processing fee and approval fee apply. Please see Supplemental Requirements for more information.

For more information, please contact pfi@pcisecuritystandards.org