AI in PCI DSS Compliance Assessments: PCI Security Standards Council Weighs In

May 1, 2025 | AI, PCI DSS

The rise in popularity of artificial intelligence (AI) is reshaping many areas of cybersecurity—including how companies demonstrate compliance with regulatory standards. 

This is perhaps most evident in compliance automation platforms, many of which are now leveraging AI to offer significant efficiency gains throughout an audit period. It is important to remember, however, that audits and assessments must still abide by rigorous quality and ethics standards established by individual audit firms and governing bodies, such as the Payment Card Industry Security Standards Council (PCI SSC).

Designed by the PCI SSC to help keep customers’ sensitive credit and debit card data secure, the Payment Card Industry Data Security Standard (PCI DSS) sets foundational cybersecurity and privacy guidelines for organizations that store, process, transmit, or interact with payment card data. To demonstrate their compliance with this international standard, organizations can work with a Qualified Security Assessor (QSA) firm like BARR Advisory to complete a formal assessment, such as a self-assessment questionnaire (SAQ) or a full Report on Compliance (RoC)

In spring 2025, the PCI SSC published guidance to help organizations and auditing firms understand how and when AI should be used in these assessments. Here’s what you need to know about the new guidance:

New Guidance from PCI SSC

Introducing the newly published guidelines, the PCI SSC highlighted the benefits of AI, which can improve efficiency and minimize errors in the auditing process.

“When properly implemented, AI can automate key aspects of the assessment process, from document reviews, to creating work papers and PCI reports. By reducing manual effort and minimizing human error, AI can streamline workflows,” the council writes.

But the use of these innovative tools doesn’t come without risk. “AI can also introduce false positives, incorrect assumptions, and biases, requiring additional considerations and human oversight to prevent these issues,” the council adds.

With this in mind, the PCI SSC has published a 12-page document outlining how AI should be used in PCI DSS compliance assessments. For organizations that must comply with PCI DSS, the guidance provides a starting point for discussions with your QSA about when and how they’re leveraging artificial intelligence during their audits.

AI in PCI DSS Assessments: Uses, Risks, and Benefits 

The guidance from the PCI SSC begins by emphasizing the importance of human expertise in assessing an organization’s compliance.

“AI cannot assume the role of an assessor,” the guidance explains. “The lead assessor oversees the assessment process, making critical judgments, and ensuring the accuracy and completeness of the final report.”

For businesses that must comply with PCI DSS, this underscores the importance of working with an experienced QSA to attest to your compliance. There is no single tool or SaaS platform that can replace the advice and expertise of a qualified auditor. However, AI can assist both you and the QSA throughout the assessment process, resulting in greater efficiency and reduced costs for businesses.

“AI can support tasks like data analysis and document review, in the same way a log management tool may help to filter out extraneous data from logs,” the guidance from the PCI SSC reads.

The guidance specifically points to several tasks that can be effectively automated using AI:

  • “AI can automate the review of large volumes of documents during assessments, including policies, procedures, network diagrams, software source code, system configurations, and logs.” (4.1)
  • “AI can assist with the creation of work papers by organizing data, providing preliminary analysis and summaries, and suggesting areas for further investigation.” (4.2)
  • “AI can be used to facilitate remote interviews by scheduling, transcribing conversations, and summarizing key points.” (4.3)

All of these uses reduce the manual effort required to complete the assessment process, empowering auditors to complete more thorough assessments in less time. For businesses, this improved efficiency means less time buried in paperwork, lower assessment costs, and increased confidence in your compliance posture.

The Bottom Line: What To Look for in an Auditor

When selecting a QSA firm that meets your business’s needs, consider whether and how they leverage artificial intelligence during the assessment process. For many organizations and auditors, this will include using AI features that are built into many popular compliance automation tools. 

According to the PCI SSC, assessors should “ensure transparent and clear communication with clients. This includes informing clients of AI involvement, obtaining their consent, and providing assurances about the security of their data and the accuracy of assessment results.”

“It is a matter of when, not if, an assessor will use AI tools during their review of your environment. The effective and ethical use of these tools is not guaranteed, however,” said Kyle Kofsky, a senior associate on BARR’s attest services team who specializes in PCI DSS. “It is imperative that your organization works with a firm that is not overly reliant on AI and can be trusted to disclose its use throughout their review. Without these factors, your assessment may contain negligent oversights and unnecessary exposure of sensitive data to AI.”

BARR Advisory is one of only a few U.S. auditing firms that is qualified to perform audits against all of the highest-regarded security compliance standards, including PCI DSS, HITRUST, ISO 27001, and SOC 2. If you’re looking for a QSA firm that you can trust to help you grow your compliance program, contact us today.

Let's Talk