Changes to the PFI Process following the retirement of PFI Lite

1 November 2021

Visa has recently retired its PFI Lite service, invoking significant changes to the PFI investigation services that we provide at IntaForensics. As of October 1st, 2021, Visa terminated the PFI Lite investigation process, and merchants who are Level 3 and 4 will no longer automatically require a mandated PFI forensic investigation in the event of a cardholder data breach.

As such, we have introduced a new service called an ‘Independent Investigation’:

  • This new service is akin to the old PFI Lite, but is now firmly managed by the acquirer
  • It will only apply to Level 3 and 4 merchants
  • This service will include the analysis, containment and reporting of an incident

Holly Jackson, Principal (Core) PFI Investigator at IntaForensics, has welcomed the new measures and believes they will help smaller companies stay afloat in the unfortunate event of a data breach.

“Before we had what we’d call a full PFI and PFI Lite – a smaller and larger version of a similar investigation essentially – but each one following different rules and guidelines.

“Now, there are advantages to this for the smaller merchants who need help containing an incident, because it’s a mini-style investigation that’s less costly.

“There are other added benefits for the smaller companies as well, because in a PFI investigation, the company could be liable to significant financial penalties. Whereas for the independent investigation, this aspect has been removed.

For PFI Investigations, aka full PFI investigations, the process has not changed. However, in most cases, they will now be undertaken for Level 1 or 2 merchants only.

Acquirers group merchants into four categories, referred to as levels, on the basis of how many transactions they conduct annually. These levels are used to determine how big the company is for the purposes of PCI compliance. This is because, depending on the size of your company, you have to fulfil different requirements in order to be considered as PCI compliant.

Explaining the differences between merchant levels, Holly said:

“Level 1 merchants are the biggest companies, and Level 4 are at the other end of the scale. However, this is not based on profit. In theory, you could have a really inexpensive product and still be a Level 1 merchant if you sold enough of it.”

“Previously, the PFI Lite investigation would only cover Level 4 merchants, we’re talking about small, frequently independent online businesses. Now Visa has pushed the boundaries to include Level 3, which is quite a big jump (up to 1 million transactions per year). Many merchants would now fall into this category and would thus qualify for the independent investigation as the PFI Lite replacement.

“The independent investigation is a scaled-down version of the PFI investigation. This means independent investigations are a much more cost-effective solution for smaller companies.”

It is common for merchants to not know what level they are, as a rough indication:

  • Level 1: Merchants that process over 6 million card transactions annually
  • Level 2: Merchants that process 1 to 6 million transactions annually
  • Level 3: Merchants that process 20,000 to 1 million transactions annually
  • Level 4: Merchants that process fewer than 20,000 transactions annually

Please note this is applicable to the whole company, not a specific breached channel.

IntaForensics provides a comprehensive range of security services designed to monitor, prevent and respond to data breaches.

Quality underpins everything we do, and we are proud to be UKAS 17025:2017 accredited and ISO/IEC 27001:2013 and ISO 9001:2015 and 14001:2015 certified.

To find out more about our services Tel: 0247 77 17780 to speak with a member of our team or fill-in our online contact form.

Talk to our consultation team today

Contact Us

I can honestly say that your excellent customer service and communication has made our forensic instructions to you exceptionally easy. I am very conscious of the amount of time I must have taken up with various queries, requests, and then changed requests but you have always been very patient, polite and extremely helpful.

Case Review Manager - Criminal Cases Review Commission