Frequently Asked Questions

< Back to search page

What changes are PFI companies allowed to make to the PFI Reporting Templates?

FAQ Response

PCI SSC recognizes the need for personalization changes by the PFI to the PFI Reporting Templates, such as the addition of company logos, but require such changes to be very limited and per the following guidance:

  • Personalization, such as inclusion of corporate logos and the like, must be limited to the title page of the document.

  • The format of the PFI Reporting Templates must remain unchanged with no deletions. Generally, changes to the format must be limited to the addition of rows as needed. This includes a requirement not to change the order of sections.

  • Again, nothing must be removed, including sections or requirements determined to be not applicable. Those sections and/or requirements must remain in the completed PFI Reporting Template with the “not applicable” result documented instead. The addition of content, such as legal verbiage or additional reporting, is allowed in a limited manner; such additional content/reporting sections should be treated as addendum sections and not added to the PFI Reporting Template format before the appendices. Additions of addendum content should be carefully considered, as accepting brand(s) have the right to not accept such changes. PCI SSC would request that PFIs ensure there is reasonable distinction that the content has been added by the PFI and is not part of the published PCI SSC document. Where a PFI would like to include more information than they feel they can include in the allotted space, they must put an appendix reference in the PFI Reporting Template at the location that expansion is needed and identify where in the appendices that data can be found. Any additional reporting must not be a duplication of information, and must be additional details that add value to the above required sections.

PCI SSC recognizes that this approach is strict and that other Reporting Templates such as for PCI DSS and PA-DSS do not currently have the same limitations at the time of this FAQ. The determination to set such strict boundaries for PFI reporting was made with feedback from the Payment Card brands and similar receiving entities who note that over personalization by PFIs needlessly complicates the review process in many cases, which the PFI Reporting Templates were intended to simplify.
Below is an example of how addendum content could be addressed within the PFI Reporting Template where the PFI feels more detail is warranted, but the reporting format doesn’t facilitate that reporting data:

User-added image

March 2015
Article Number 1324