I was in London for the Q1 2025 PCI SSC (Payment Card Industry Security Standards Council) Board of Advisors meeting in mid March and, as always, we discussed great topics that will further advance the security of protecting card data around the world. The PCI SSC recently released its guidance on how Artificial Intelligence (AI) can be used in PCI Assessments, and I have taken the time to summarize the guidance. You can download the full document here.
AI is transforming industries, and PCI assessments are no exception. As businesses strive for greater efficiency and accuracy in securing payment card data, AI presents an opportunity to automate processes, analyze large datasets, and enhance compliance efforts. However, while AI is a powerful tool, it is not a replacement for human assessors. AI should be able to meaningfully reduce time in evidence review and generating work papers – as Level 1 audits can take up to six months and cost more than $100,000. The PCI Security Standards Council has released guidelines outlining how AI can be effectively integrated into PCI assessments while ensuring transparency, security, and accountability.
What AI should not do in PCI assessments: AI is a tool, Not an assessor
The core principle emphasized in the guidelines is that AI is a tool to support human assessors, not replace them. Assessors will continue to play a crucial role in overseeing the assessment process, making critical judgments, and ensuring the accuracy and completeness of the final report. AI can assist with tasks such as data analysis and document review, but the ultimate responsibility remains with a qualified assessor. AI should never:
- Make final compliance decisions
- Interpret complex security requirements
- Authorize the release of assessment findings
AI is only a support tool to enable qualified assessors to be more efficient.
What can AI assist with in PCI assessments?
What are some of the tasks AI technology can assist assessors with?
AI can automate repetitive tasks and improve accuracy, allowing human assessors to focus on higher-level analysis and risk management. Key areas where AI can assist include:
| Task | What AI can do | What AI should not do |
| Reviewing Artifacts |
|
|
| Creating Work Papers | generate structured summaries and organize data, reducing manual effort and minimizing errors | AI-generated work papers must be reviewed and validated by assessors to ensure accuracy and compliance. |
| Conducting Remote Interviews | facilitate remote interviews by scheduling, transcribing conversations, and summarizing key points. | While this automation speeds up the process, human oversight is necessary to ensure the accuracy and confidentiality of recorded data. |
| Assisting with Final Assessment Reports | AI can analyze assessment data and suggest phrasing, summarize findings, or structure content according to PCI SSC reporting templates. This can help to ensure that reports are accurate, consistent, and understandable. | However, lead assessors must review and approve all AI-generated content to ensure accuracy and adherence to PCI standards. |
The Importance of transparency and client communication
The guidelines emphasize the importance of transparency and addressing the challenges associated with AI use. Assessors are expected to communicate clearly with clients about AI involvement, obtain their consent, and provide assurances about data security and the accuracy of assessment results.
Risks and limitations of AI in PCI assessments
While AI can enhance efficiency, it also presents challenges:
- False positives and errors: AI may misinterpret security findings, requiring human validation.
- Bias in AI models: AI must be regularly tested to ensure fair and accurate assessments.
- Data privacy concerns: AI should not be trained on sensitive client data without explicit authorization.
- Over-reliance on automation: Assessors must not blindly trust AI-generated results without verifying accuracy.
To mitigate these risks, AI systems should undergo continuous improvement, bias checks, and validation by independent experts.
Policies and procedures for AI use
To ensure the effective and secure integration of AI in PCI assessments, assessor companies are required to establish clear and detailed policies and procedures
for AI use. These procedures should cover:
- How AI is to be used and validated
- Selection and qualification of AI systems
- Types of evidence AI can process
- Data handling and security
Final thoughts
AI is a game-changer for PCI assessments, offering speed, efficiency, and accuracy. However, the human element remains essential. By combining AI capabilities with human expertise, PCI assessments can be more effective and secure. Assessors must adopt clear policies, ensure transparency, and take responsibility for compliance decisions, ultimately ensuring better protection of payment card data in an evolving digital landscape.
Oh, and by the way
It is important to note that the PCI Security Standards Council does not endorse any specific AI products or services for PCI assessments. Assessment companies and individual assessors are responsible for evaluating and selecting AI tools based on their own criteria and due diligence.