PCI Security Standards Council Bulletin: New PCI DSS v4.x Worksheet and Guidelines Published to Support Security as a Continuous Process

PCI Security Standards Council Bulletin: New PCI DSS v4.x Worksheet and Guidelines
Published to Support Security as a Continuous Process

28 June 2023

PCI SSC has published the PCI DSS v4.x Items Noted for Improvement (INFI) Instructions and
Worksheet to support security as a continuous process. Developed with feedback from PCI SSC’s global
payments community, this worksheet is designed to provide a consistent method to identify and
document areas needing improvement in an organization's security posture, to help organizations
address those areas and support their ability to maintain security as a continuous process.
The INFI worksheet is intended for internal use between the assessor and assessed entity. Qualified
Security Assessors (QSAs) are required to complete this worksheet for all PCI DSS v4.0 assessments
documented in a Report on Compliance (ROC). While it is not required for Internal Security Assessors
(ISAs) or self-assessments, it is recommended as it is a valuable tool to help organizations identify and
address areas needing improvement and to ultimately improve their security posture.
To support the effective use of this worksheet, PCI SSC has published additional supporting materials,
including FAQs for the INFI worksheet and guidance on the use of INFI and compensating controls. The
worksheet and supporting materials are linked below and can also be downloaded from the PCI SSC
Document Library.
• INFI Instructions and Worksheet
• FAQs for INFI Worksheet
• INFI and Compensating Controls Guidance
Updates to the QSA Program Guide and QSA Qualification Requirements have also been published to
the PCI SSC Document Library and include assessor expectations and requirements for the completion
of the INFI Worksheet.

###
The information in this bulletin is no
longer valid as of 20 March 2024 and
has been superseded by a new bulletin
available here.