When the PCI SSC first published PCI DSS v4.0, they included a findings option “In Place with Remediation” – which they later removed from the standard due to it being confusing, and differences in opinion on its usage across the various PCI stakeholder groups.

In its place, the Council said that they would add a worksheet for the QSA to record items noted during the assessment that required remediation. The INFI is that worksheet.

Some important things to note:

  • The INFI is a required document for PCI DSS v4.0 assessments done by a QSA. ISAs are encouraged, but not required, to complete it.
  • The document’s audience is the entity being assessed.
  • FAQs can be found here.