Text size Increase Font-SizeDecrease Font-SizeReset Font-Size

PCI Forensic Investigator (PFI) Program

How to Apply

The PCI Forensic Investigator (PFI) program establishes and maintains rules and requirements regarding eligibility, selection and performance of companies that provide forensic investigation services to ensure they meet PCI Security Standards. The PFI program aims to help simplify and expedite procedures for approving and engaging forensic investigators by:

  • Providing a single set of requirements for forensic investigators upon which market participants may align
  • Maintaining a list of Council-approved forensic investigators for compromised entities to choose from
  • Providing guidance on how investigations are to be conducted and reported


Eligible PFI candidates must be recognized as a QSA Company. It is imperative that forensic investigators involved in this program completely understand the PCI DSS and its intended application within the cardholder data environment.

The Supplemental Requirements document provides details on criteria that each PFI candidate company is required to meet including:

  • The existence of a dedicated forensic investigation practice within your company
  • Staff with the necessary backgrounds and skills
  • Experience performing investigations within the financial industry using proven investigative methodologies & tools; and
  • Relationships with law enforcement to ensure you can support any resulting criminal investigations


View the list of approved PCI Forensic Investigators.


Initial processing fee and approval fee apply. Please see Supplemental Requirements for more information.

How to Apply

For more information, please contact pfi@pcisecuritystandards.org

PCI Forensic Investigator FAQs


Back to Top

The PCI Security Standards Council (the "Council") provides a variety of tools, questionnaires, guidance, FAQs, training resources and other materials and information to assist organizations seeking to achieve compliance with its standards (the "Standards"). Third party products and services are also available, but the Council does not endorse or recommend any such third party products or services, and advises all organizations seeking to achieve compliance to become familiar with the Standards and related requirements before purchasing third party products or services. Ultimately, all applicable requirements must be met in order to achieve compliance, regardless of whether or what third party products or services are used.