American Express Data Security – https://www209.americanexpress.com/merchant/services/en_US/data-security
Discover Information Security & Compliance (DISC) – https://www.discoverglobalnetwork.com/en-us/business-resources/fraud-security/pci-rules-regulations/discover-information-security-compliance
JCB Security Program – https://www.global.jcb/en/products/security/data-security-program/
MasterCard International Site Data Protection (SDP) Program – https://www.mastercard.us/en-us/business/overview/safety-and-security/security-recommendations/site-data-protection-PCI/merchants-need-to-know.html
Visa International
- Visa Global Web Site Locator – http://www.visa.com/globalgateway/gg_selectcountry.jsp?retcountry=1
- Visa Canada Account Information Security (AIS) – https://www.visa.ca/en_CA/run-your-business/merchant-resources/merchant-security.html
- Visa Europe Account Information Security (AIS) – http://www.visaeurope.com/receiving-payments/security/
- Visa Latin America/Caribbean Account Information Security (AIS) – https://www.visa.com.gt/soporte/pequenas-empresas/seguridad-de-datos.html
- Visa Southeast Asia Account Information Security (AIS) – http://www.visa.com.au/ap/sg/merchants/stayingsecuremerchants/accountsecurity.shtml
- Visa USA Cardholder Information Security Program (CISP) – https://usa.visa.com/support/small-business/security-compliance.html
PCI Guru 
I have a two-part question on the PCI Forensic Investigator (PFI) Program and requirement. It seems like hiring a forensic investigation firm on retainer proactively is the smart approach for Level 1 merchants, so as to avoid paying through the nose in case a breach does occur and having no time left to negotiate. The question is what if one is already on retainer, but turns out, that firm is NOT a PFI (but still a reputable forensic investigation firm)?
1. Is hiring a certified PFI a PCI-DSS requirement? It doesn’t seem to be explicitly listed.
2. Is this common for all level 1 merchants to just accept, hire a PFI on retainer, and move on? Or is the requirement to use a PFI certified/approved Forensics firm negotiable with each card brand? If not negotiable, why doesn’t the PCI council write this requirement into the PCI-DSS or at least improve awareness of this topic so that merchants can hire a PFI certified firm on retainer? All the wording I’ve found on the PCI council website is noncommittal and uses language like “may be required by card brands”
It is the card brands that enforce the use of the PFI. If you already have an examiner on retainer, I would ask your bank to ask the brands to get you a waiver on the PFI. However, be prepared to have them say “No”.
The reason the requirement is not in the DSS is because not all the brands are in agreement that a PFI is necessary. As far as I am aware, only Visa and MasterCard have such a requirement.
The Asia Pacific Visa link is broken unfortunately. Visa seem to jiggle their pages all the time! But a great resource nonetheless.
Thanks. It has been fixed.
Great resources…thank you!