Call us on 03450 21 21 51

SRM Solutions
PCI Forensic Investigation (PFI/ PFI Lites)
Digital Forensics & Incident Response

PCI Forensic Investigation (PFI)

SRM is one of a handful of companies in the UK retained by the PCI to carry out PFI investigations. We have delivered 100's of PFI investigations and pride ourselves in providing an expert professional service which satisfies all the requirements of acquiring banks while also guiding our clients on a swift route to containment and remediation.

What is a PFI investigation?

A Payment Card Industry (PCI) Forensic Investigation is required by an acquiring bank where a breach has been identified. Breaches of data are normally identified when cardholder reports of fraud are linked through analysis. The cost is met by the organisation that has been identified as a ‘common point of purchase’ for the breach.

What are the challenges?

In today’s technology driven world, the acceptance of card payments is regarded as a fundamental aspect of any business. The theft of payment card data is a highly lucrative enterprise with criminals investing considerable time, energy and resources into locating, stealing and illegally utilising payment cards to commit widespread and costly fraud.

A failure to comply with the PCI DSS may lead to a compromise situation with cardholder data being inadvertently or intentionally placed in unauthorised hands and potentially subject to fraud.

The faster an Organisation responds to a potential breach, the lower the likely fines and sanctions will be. Where incidents have occurred, the merchant or payment service provider may need to conduct a forensic investigation in order to stem the fraudulent flow of information and to take steps towards regaining PCI compliance.

Why SRM?

SRM is one of a handful of companies in the UK retained by the PCI to carry out PFI investigations. On completion of the investigation, SRM would formally document findings and provide a comprehensive ‘Final Incident Report’ that details the following:

  • Outline of the investigation undertaken;
  • Security issues identified, including all vulnerabilities identified;
  • Where possible, logical steps that can be taken to remediate any issues identified.

Do I need a PFI Full or a PFI Lite Investigation?

PFI Lite investigations are a Visa Europe initiative designed for small eCommerce businesses who may have been hacked and lost cardholder data. This is a scaled-down PCI Forensic Investigation designed to provide an investigation and remediation service specifically for smaller eCommerce merchants. The SRM team is extremely experienced in collating information and scoping the type of investigation that is needed.

Associated services

Retained Forensic & Incident Response (IR)

Retained Forensic & Incident Response (IR)

Ensuring you have access to Forensic Incident Response expertise is a proactive approach your organisation can take to information security.



The SRM PCI DSS compliance team includes leading QSAs who use their wealth of experience to help organisations at all levels to understand not only how to comply but also how to reduce costs.

Digital Forensics

Digital Forensics

SRM’s Digital Forensics team has over 60 years combined experience in the criminal and civil investigation field, including over 40 years specialising in Digital Forensic analysis.



When choosing a managed eDisclosure service provider, trust and experience are key requirements.



SRM is an accredited PA DSS assessor. With a forensic laboratory in the North East, we have the expertise and resource to guide software application companies through the process of certification.

Disaster Recovery Planning

Disaster Recovery Planning

As experienced providers of DR planning services, SRM works with clients to prioritise the survival of the business and the resumption of normal working practices as soon as possible.

Related articles

Incident Response & Forensic Expertise Webinar – Would your business survive a cyber-attack or security breach?

As organisations endeavour to be as proactive as possible to protect themselves from a cyber attack or security incident, do you have access to the correct Incident Response expertise..

How PCI compliance puts you on course for GDPR

For a long time the General Data Protection Regulation has been looming on the horizon but in just a few short days it will arrive; a permanent aspect of..

PCI DSS: With charities gearing up for contactless payments what could possibly go wrong?

More than 40 organisations, including McMillan Cancer, the NSPCC, the RNLI and the Church of England, have introduced technology which means that donations can be made with a quick..