Earlier this year, the Payment Card Industry Security Standards Council (PCI SSC) released its guidance on how Artificial Intelligence (AI) can be used in PCI Assessments. As a member of the PCI SSC Board of Advisors, I wanted to highlight some of key themes
coming out of that guidance. You can also view the full guidance document
here.
AI’s growing impact on fintech and payments is impossible to ignore, and PCI assessments are no exception. As businesses strive for greater efficiency and accuracy in securing payment card data, AI presents an opportunity to further automate processes, analyze
large datasets, and enhance compliance efforts. AI should be able to meaningfully reduce time in evidence review and generating work papers – as Level 1 audits can take up to six months and cost more than $100,000.
However, while AI is a powerful tool, it is not a replacement for human assessors.
Assessors will continue to play a crucial role in overseeing the assessment process, making critical judgments, and ensuring the accuracy and completeness of the final report. AI can assist with tasks such as data analysis and document review, but the ultimate
responsibility remains with a qualified assessor. AI should never:
- Make final compliance decisions
- Interpret complex security requirements
- Authorize the release of assessment findings
AI is only a support tool to enable qualified assessors to be more efficient.
What can AI assist with in PCI assessments?
There are multiple areas where AI technology can assist assessors by automating repetitive tasks, improving accuracy, and allowing human assessors to focus on higher-level analysis and risk management. These include:
– Reviewing Artifacts – AI can automate the review of large volumes of documents, including policies, procedures, network diagrams, software source code, system configurations, and logs. It can also be used to identify specific compliance
elements and highlight potential areas of concern, significantly reducing manual effort and minimizing human error.
– Creating Work Papers – AI can generate structured summaries and organize data, reducing manual effort and minimizing errors.
– Conducting Remote Interviews – AI can facilitate remote interviews by scheduling, transcribing conversations, and summarizing key points.
– Assisting with Final Assessment Reports – AI can analyze assessment data and suggest phrasing, summarize findings, or structure content according to PCI SSC reporting templates. This can help to ensure that reports are accurate, consistent,
and understandable.
The Importance of transparency and client communication
The PCI SSC guidelines emphasize the importance of transparency and addressing the challenges associated with AI use. Assessors are expected to communicate clearly with clients about AI involvement, obtain their consent, and provide assurances about data
security and the accuracy of assessment results.
Risks and limitations
While AI can enhance efficiency, it also presents challenges:
- False positives and errors: AI may misinterpret security findings, requiring human validation.
- Bias in AI models: AI must be regularly tested to ensure fair and accurate assessments.
- Data privacy concerns: AI should not be trained on sensitive client data without explicit authorization.
- Over-reliance on automation: Assessors must not blindly trust AI-generated results without verifying accuracy.
To mitigate these risks, AI systems should undergo continuous improvement, bias checks, and validation by independent experts.
Policies and procedures for AI use
To ensure the effective and secure integration of AI in PCI assessments, assessor companies are required to establish clear and detailed policies and procedures
for AI use. These procedures should cover:
- How AI is to be used and validated
- Selection and qualification of AI systems
- Types of evidence AI can process
- Data handling and security
Final thoughts
AI is a game-changer for PCI assessments, offering speed, efficiency, and accuracy. However, the human element remains essential. By combining AI capabilities with human expertise, PCI assessments can be more effective and secure. Assessors must adopt clear
policies, ensure transparency, and take responsibility for compliance decisions, ultimately ensuring better protection of payment card data in an evolving digital landscape.
It is also important to note that the PCI Security Standards Council does not endorse any specific AI products or services for PCI assessments. Assessment companies and individual assessors are responsible for evaluating and selecting AI tools based on their
own criteria and due diligence.
