Frequently Asked Question

Is the expectation that any PFI investigation initiated must result in a PFI Final Report?
Yes, a PFI Final Report is required. The expectation is that the PFI must complete the merchant's PFI Investigation and produce the Final PFI Report, with details of adequate evidence to support claims.
PCI SSC has received multiple inquiries on how to move forward on a third-party service provider case where the breach has been confirmed to have occurred and affected merchants, particularly where some affected merchants may have already begun their own PFI engagements. While there is no "one size fits all" response to such inquiry, PCI SSC can provide the following guidance to PFIs in determining next steps:
- When a PFI investigates a third-party service provider incident, scoping should include steps to identify and include any third-party connections as part of incident validation and assessment, including affected merchants and their sponsoring acquirers.
- In the example of a merchant for which a PFI has already completed the PFI Preliminary Incident Response Report and delivered it to each affected Participating Payment Brand before evidence that a third-party service provider was in fact responsible for the breach affecting the merchant is produced, PFIs are expected to fully complete a Final PFI Report for the merchant. The PFI is expected to complete the merchant investigation and provide confirmation and document in the final PFI report that the breach is related to the third-party service provider incident. It would be reasonable to explain what was investigated, at what point the PFI became aware of the findings for the third-party service provider, and to clearly communicate what was assessed at the merchant and report those findings (conclusive or inconclusive).
- Whether the same PFI Company did or did not assess the third-party service provider and the merchant may affect the level of reporting; if the same PFI Company assessed both, they would reasonably have access to more relevant data than a PFI Company who did not assess the third-party service provider but is assessing an affected merchant.
- Where a third-party service provider PFI investigation has identified affected merchants and no PFI has been engaged for any affected merchant, it is recommended to consolidate the merchant cases into the third-party provider case as a matter of efficiency instead of opening an individual merchant PFI if required by a different workstream or regulatory agency. While the final decision does not rest with the PFI, the PFI must consult with Participating Payment Brands and affected acquirers on how to proceed with the investigation.
- Where there is sufficient evidence, based one or more merchant PFI investigation(s) that indicate the breach was caused by the third-party service provider, and the third-party service provider is not cooperative and/or has not engaged a PFI, the PFI must inform the Participating Payment Brands and affected acquirers.
Payment Brand contact details are provided in FAQ #1142 How do I contact the payment card brands?
August 2024
Article Number: 1571
How does an e-commerce merchant meet the SAQ A eligibility criteria for scripts?
When should an entity implement PCI DSS requirements noted as best practices until a future date?
For PCI DSS, can multi-factor authentication (MFA) implementations indicate the success of a factor prior to presentation of subsequent factors?
Featured FAQ Articles
Do PCI DSS requirements for keyed cryptographic hashing apply to previously hashed PANs?
Is the PCI DSS Attestation of Compliance intended to be shared?
How does an entity report the results of a PCI DSS assessment for new requirements that are noted in PCI DSS as best practices until a future date?
Where do I direct questions about complying with PCI standards?
Can SAQ eligibility criteria be used for determining applicability of PCI DSS requirements for assessments documented in a Report on Compliance?
Most Popular
How does an e-commerce merchant meet the SAQ A eligibility criteria for scripts?
When should an entity implement PCI DSS requirements noted as best practices until a future date?
For PCI DSS, can multi-factor authentication (MFA) implementations indicate the success of a factor prior to presentation of subsequent factors?
What is the completion date for PCI DSS assessments documented in a Report on Compliance and its related Attestations of Compliance?
What is the completion date for PCI DSS assessments documented in a Self-Assessment Questionnaire and its related Attestations of Compliance?
Most Recently Updated
How does an e-commerce merchant meet the SAQ A eligibility criteria for scripts?
How are third-party service providers (TPSPs) expected to demonstrate PCI DSS compliance for TPSP services that meet customers’ PCI DSS requirements or may impact the security of a customer’s cardholder data and/or sensitive authentication data?
Can SAQ eligibility criteria be used for determining applicability of PCI DSS requirements for assessments documented in a Report on Compliance?
What should an entity do if its PCI DSS assessment will not be complete prior to that standard's retirement date?
Where can I find the current version of PCI DSS?