Diff: FAQ #1324
What changes are PFI companies allowed to make to the PFI Reporting Templates?
Earlier Version
Later Version
Removed
Added
PCI SSC recognizes thethat there may be a need for personalizationPFIs to personalize the PFI Report Templates, such as adding a company logo or add rows for more detail. However, such changes must be limited per the following:
Personalization, such as inclusion of corporate logos, must be limited to the title page of the document.
The format and content of the PFI Report Templates must be maintained with no deletions — the only permitted format change is the addition of rows as needed to facilitate complete and accurate responses. Changes to the order or content of sections, reporting instructions, guidance notes or other static text are not permitted.
Removal or omission of any static text, including section headers, guidance notes and instructions is prohibited. Where a section or requirement is determined to be not applicable, those sections and/or requirements must remain in the completed PFI reports with any "not applicable" results documented.
The addition of content, such as legal verbiage or additional reporting, is allowed in a limited manner; such additional content/reporting sections should be treated as addendum sections that are attached at the end of the PFI Report following the appendices. If a PFI would like to include more information than they feel can be included in the allotted space, they must put an addendum reference in the report at the location where expansion is needed, and identify where (in the addendum) that data can be found. Additions of addendum content should be carefully considered, as the affected payment brand(s) have the right to reject such changes.
PFIs must also ensure that any content added by the PFIto the PFI Reporting Templates, such as the addition of company logos,is visually evident and discernable from the original PCI SSC Report Template. Any additional reporting must not be duplicated information, but require such changes to be very limited and per the following guidance:
Personalization, such as inclusion of corporate logos and the like, must be limited to the title page of the document.
The format of the PFI Reporting Templates must remain unchanged with no deletions. Generally, changes to the format must be limited to the addition of rows as needed. This includes a requirement not to change the order of sections.
Again, nothing must be removed, including sectionsrather, must be additional details that add context or requirements determined to be not applicable. Those sections and/or requirements must remainclarification to the responses provided in the completed PFI Reporting Template with the ?not applicable? result documented instead. The addition of content, such as legal verbiage or additional reporting, is allowed in a limited manner; such additional content/reporting sections should be treated as addendum sections and not added to the PFI Reporting Template format before the appendices. Additions of addendum content should be carefully considered, as accepting brand(s) have the right to not accept such changes. PCI SSC would request that PFIs ensure there is reasonable distinction that the content has been added by the PFI and is not part of the published PCI SSC document. Where a PFI would like to include more information than they feel they can include in the allotted space, they must put an appendix reference in the PFI Reporting Template at the location that expansion is needed and identify where in the appendices that data can be found. Any additional reporting must not be a duplication of information, and must be additional details that add value to the above required sections.
PCI SSC recognizes that this approach is strict and that other Reporting Templates such as for PCI DSS and PA-DSS do not currently have the same limitations at the time of this FAQ. The determination to set such strict boundaries for PFI reporting was made with feedback from the Payment Card brands and similar receiving entities who note that over personalization by PFIs needlessly complicates the review process in many cases, which the PFI Reporting Templates were intended to simplify.
Below is an example of how addendum content could be addressed within the PFI Reporting Template where the PFI feels more detail is warranted, but the reporting format doesn?t facilitate that reporting data:main body of the report.
Personalization, such as inclusion of corporate logos, must be limited to the title page of the document.
The format and content of the PFI Report Templates must be maintained with no deletions — the only permitted format change is the addition of rows as needed to facilitate complete and accurate responses. Changes to the order or content of sections, reporting instructions, guidance notes or other static text are not permitted.
Removal or omission of any static text, including section headers, guidance notes and instructions is prohibited. Where a section or requirement is determined to be not applicable, those sections and/or requirements must remain in the completed PFI reports with any "not applicable" results documented.
The addition of content, such as legal verbiage or additional reporting, is allowed in a limited manner; such additional content/reporting sections should be treated as addendum sections that are attached at the end of the PFI Report following the appendices. If a PFI would like to include more information than they feel can be included in the allotted space, they must put an addendum reference in the report at the location where expansion is needed, and identify where (in the addendum) that data can be found. Additions of addendum content should be carefully considered, as the affected payment brand(s) have the right to reject such changes.
PFIs must also ensure that any content added by the PFI
Personalization, such as inclusion of corporate logos and the like, must be limited to the title page of the document.
The format of the PFI Reporting Templates must remain unchanged with no deletions. Generally, changes to the format must be limited to the addition of rows as needed. This includes a requirement not to change the order of sections.
Again, nothing must be removed, including sections
PCI SSC recognizes that this approach is strict and that other Reporting Templates such as for PCI DSS and PA-DSS do not currently have the same limitations at the time of this FAQ. The determination to set such strict boundaries for PFI reporting was made with feedback from the Payment Card brands and similar receiving entities who note that over personalization by PFIs needlessly complicates the review process in many cases, which the PFI Reporting Templates were intended to simplify.
Below is an example of how addendum content could be addressed within the PFI Reporting Template where the PFI feels more detail is warranted, but the reporting format doesn?t facilitate that reporting data:
Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.