PCI Security Standards Council®

PCI Forensic Investigators Assessor Feedback

PCI Forensic Investigators (PFIs) help determine the occurrence of a cardholder data compromise and when and how it may have occurred. These PCI Forensic Investigators are qualified by the Council's program and must work for a Qualified Security Assessor company that provides a dedicated forensic investigation practice.

They perform investigations within the financial industry using proven investigative methodologies and tools. They also provide relationships with law enforcement to support stakeholders with any resulting criminal investigations.

This form is used to review PFIs and their work product, and is intended to be completed after a forensic investigation. While the primary audience of this form are PFI clients (merchants or service providers), there are several questions at the end, under “PFI Feedback Form for Payment Brands and Others,” to be completed as needed by Payment Brand participants, banks, and other relevant parties.

Information collected from the Feedback Form will be held in strict confidence and used for the sole purpose of improving the quality of service provided by the PFI.

PFI Feedback Form

Fields marked * are required.

Client (merchant or service provider)

PCI Forensic Investigators Company (PFI)


Location of Assessment

PFI employee who performed Assessment


Dates PFI was onsite for assessment

From / / To / /
For each statement, please indicate the response that best reflects your experience and provide comments.
5 = Strongly Agree             4 = Agree     3 = Neutral      2 = Disagree        1 = Strongly Disagree




Timeliness: Please rate the PFI Company’s performance relative to your own expectations prior to the PFI Investigation.
1. Primary and preliminary reports were delivered within an appropriate timeframe.

2. Regular status updates were provided by the PFI Company as required by involved Participating Payment Brand(s).
3. The PFI Company supplied resources for this engagement sufficient to enable adherence to agreed-upon timelines for the investigation.

4. The PFI Company maintained regular communication regarding the project timeline and any issues, obstacles, or other extenuating circumstances that may have delayed completion.

5. The PFI Company met response time expectations such as deploying staff to respond in an emergency situation within 24 hours to five (5) days of discovery, as required by the Participating Payment Brand.
Note: Arrival time may depend on the geographic location of the trouble site, weather conditions, available transportation and other issues.

6. The PFI Company provided at-risk account numbers in a timely fashion.

Accuracy: In assessing Accuracy, consider whether or not there were instances where you believe the PFI Company made mistakes in methodology or in handling the investigation that led to an unsatisfactory forensic investigative report.
7. The PFI Company and personnel followed the proper methodologies as outlined in the PFI Guidelines (Appendix A to the PFI Program Guide).

8. The PFI Company and personnel identified all applicable causes of compromise during the investigation (i.e., in your opinion they did not miss anything and their conclusions were consistent with available evidence).

Ethics: In assessing Ethics, consider whether or not there were situations in which you believe the PFI Company or its personnel misrepresented or withheld information based on pressure from a key client, acquiring entity, or otherwise.
9. The PFI Company demonstrated compliance with all independence requirements for PFIs and QSAs throughout the PFI Investigation (See Section 2.3 of the PFI Qualification Requirements and Section 2.2 of the QSA Qualification Requirements) and was not the same QSA Company that conducted the initial or any subsequent PCI DSS Assessment of the Entity Under Investigation.

10. The PFI Company fulfilled the objective of providing an independent, unbiased representation of the facts of the case. There were no significant or intentional omissions or misrepresentations of facts or unreasonable delays in conducting the investigation. In addition, the Lead Investigator or a suitable PFI process manager was available to answer questions about the investigation if necessary or appropriate.

Cooperation: In assessing Cooperation, consider whether or not the PFI Company was readily available for discussion of forensic findings and/or follow up questions and account data at risk was provided in a timely manner.
11. The PFI Company completed tasks on time.

12. The PFI Company was regularly and readily available for communication with the affected Participating Payment Brand(s) and their client(s).

13. The PFI Company assigned an appropriately qualified Lead Investigator to respond to and address issues with affected Participating Payment Brands and the investigated organization throughout the PFI Investigation.

14. The PFI Company clearly identified any extenuating circumstances that impacted the investigation

15. If a given PFI Employee investigator did not have sufficient understanding of an issue, the PFI Company had the applicable knowledge and assigned appropriately qualified investigators who performed duties effectively and in a timely manner

Competence: In assessing Competence, consider whether or not the PFI Company or its personnel: were able to complete the PFI Investigation to your satisfaction; possessed the necessary skills or understanding of the task during the investigation; and was able to communicate the findings in a competent manner.
16. The PFI Company investigators were articulate in communicating the investigative findings.

17. The PFI Company demonstrated sufficient understanding of the PCI DSS and the PA-DSS (if applicable).

18. The PFI Company clearly understood how to scope the PFI Investigation.

Reporting: Please assess the PFI’s performance relating to the following:
19. The PFI Company adhered to all PFI Report templates.

20. All final PFI Reports provided adequate content and data that clearly tied the conclusion back to the evidence.

Please provide any additional comments here about the PFI, your assessment, or the PCI DSS documents.

Our website uses both essential and non-essential cookies (further described in our Privacy Policy) to analyze use of our products and services. By clicking “ACCEPT” below, you are agreeing to our use of non-essential cookies to provide third parties with information about your usage and activities. If you click “DECLINE” below, we will continue to use essential cookies for the operation of the website.