In March 2025 the PCI SSC published a new guide that will totally change the process of evaluating controls of their standards, allowing the controlled use of Artificial Intelligence (AI) technologies to support QSA advisors: Payment Card Industry (PCI) Integrating Artificial Intelligence in PCI Assessments – Guidelines.

Apart from Whatever our opinion about artificial intelligence (AI), what is certain is that it is a concept that is setting a trend in the current technological environment. Although the first approximations in its development date from the time of Alan Turing and the publication of his articleComputing Machinery and IntelligenceIn 1950, it was not until relatively few years ago that this concept became more widespread with the publication of GPT (Generative Pre-trained Transformer) by OpenAI and the introduction of artificial intelligence systems for image processing (Dall-E).

Currently, they already exist AI Agents that they can interact with their environment and execute tasks autonomously following the instructions of a user or another system and it was a matter of time before these tools became part of the technical arsenal employed by qualified security advisors (Qualified Security Assessors – QSA) during the assessments of compliance with the controls of the PCI SSC standards.

However, there were many doubts about the use of this new technology in compliance assessments. Can a QSA be completely replaced by an AI? What tasks can be delegated to an AI and what tasks cannot? What ethical, legal and safety restrictions must be implemented so that this technology can be used appropriately? Luckily, we already have a basic reference document: Payment Card Industry (PCI) Integrating Artificial Intelligence in PCI Assessments – Guidelines.

Artificial intelligence is a tool, it is not the Advisor

This new PCI SSC document sets out the basic criteria for the use of artificial intelligence technologies in PCI SSC assessments. However, the first thing that is made clear is that Artificial intelligence tools cannot take on the role of an advisor.

The advisor should always monitor the process, make critical judgments (including the decision about the final status of the assessment), interpret complex requirements or context-specific problems, authorize the publication of final reports, execute on-site inspections, and ensure the accuracy and integrity of the final report, while AI tools can support repetitive activities such as data analysis and review of documentation and logs.

This document also emphasizes the crucial role of human evaluators in validating AI outcomes and making final decisions on compliance, highlighting that AI is a tool that helps - not replaces - human experience and judgment.

Use of artificial intelligence technologies in assessments

According to the guide, when these tools are used in compliance assessments, it is essential to establish clear communication with the client and establish the tasks that will be delegated to artificial intelligence tools, among which can be included:

  • Automated evidence review
  • Creation of working papers
  • Support in remote interviews (scheduling and transcription of interviews)
  • Support when creating final reports
  • Execution of Preliminary Quality Review (QA) Tasks

All these activities should always be supervised by an advisor, who should be ultimately responsible for the decisions and conclusions of the evaluation. Likewise, it is also the responsibility of the company QSAC (QSA Company) regularly evaluate AI solutions by verifying their accuracy, reliability and alignment with PCI SSC requirements in order to detect and correct biases or errors.

Policies and procedures for the use of AI

For the use of AI technologies to be effective and safe, it is imperative that QSAC establishes clear and detailed policies and procedures for the use of AI in order to maintain the integrity, accuracy and security of the assessment process. In principle, the following elements should be taken into account:

  • How AI solutions are used and validated
  • Selection and qualification processes for AI systems
  • Types of evidence that AI can process
  • Considerations in data management and security

In addition, it should be clear in contracts with customers how their data will be processed, including their use for training (training) of AI models, unless explicitly authorised.

Final comments

The PCI SSC already clarifies this at the beginning of this new guide: AI technologies are in full development and their use will have to be adapted to the changes in this area. While it is true that this is an initial and rather brief guide with recommendations at a very high level, At PCI Hispano, we miss a more detailed analysis of the privacy implications of using AI technologies in compliance assessments. Once an AI agent is integrated into the assessment process and given access to sensitive data (logs, policies, evidence, etc.), through inference and aggregation it is possible to extrapolate other sensitive data from the organisation to a third party (the provider of the AI platform), creating a new point of failure susceptible to exfiltrations, unauthorized access to data, etc.

Security threats from AI actors – Source: www.pillar.security

In that case, from PCI Hispano we recommend the following additional actions if the use of AI in evaluation processes is considered:

  • Analyze the use of Artificial Intelligence (AI) solutions within the organization using reference frameworks for the identification and management of their risks. In this case, the NIST AI risk management framework can be used (NIST AI Risk Management Framework – AI RMF), which includes multiple recommendations for the deployment and safe use of these technologies.
  • Prevent AI solutions from processing payment card data. If this happens, the provider of such solutions will also be subject to PCI DSS compliance due to the processing, storage and/or transmission of card data.
  • Validate compliance with privacy and security regulations by AI solution providers if their services are in the cloud. This is important for compliance with legislation such as GDPR.

 

Posted by David Acosta

Qualified Security Assessor (QSA) for PCI DSS, PCI PIN, PCI 3DS, P2PE and PCI TSP. CISSP, CISA, CISM, CRISC, C|EH, C|HFI.

Leave to Reply