PFI Companies must adhere to the independence requirements of the PFI program as defined in the PFI Qualification Requirements and Program Guide. Whether a PFI Company can conduct a PFI investigation more than once on the same entity will depend on circumstance. For example; if during an investigation the PFI Company carried out work which impacted the PCI DSS compliance status of the entity, and the entity subsequently identifies or suspects a breach, that PFI Company is not able to satisfy the independence requirements for a subsequent investigation.
Each payment brand has their own rules when a PFI must be engaged, and merchants should consult their acquirer and/or the payment brands concerning any issues which may influence a PFI Company’s ability to perform an independent investigation.
Payment brand contact details are provided in How do I contact the payment card brands?
Article Number 1444