What the PCI Security Standards Council’s AI Guidance Means for Assessors & Client Organizations

On March 17, 2025, the Payment Card Industry (PCI) Security Standards Council released its first guidance on artificial intelligence (AI), titled Integrating Artificial Intelligence in PCI Assessments. On page two, the Council presented the main theme, which is an unsurprising but important reminder: AI is a tool, not an assessor.

There’s work ahead for assessor companies this calendar year to prepare for potential questions from the Security Standards Council or client organizations. As a best practice, client organizations should consider adding either an AI Model Card or an Assessor’s AI policy to their periodic vendor monitoring package. Key action items from this guidance include:

• Assessors: Establish a clear communication strategy for disclosing AI use to clients, and document internal policies and procedures governing AI usage.
• Client Organizations: Stay informed and proactively ask how AI is being used in your PCI assessments, particularly when it involves your data.

Assessor companies are responsible for keeping their clients up to date on how AI may be used during assessments. This specific piece of guidance will be something to monitor during the next PCI Quality Assurance Audit and Questionnaire.

The Council also outlines specific activities where AI is likely to be used, including the review of artifacts, creation of workpapers, conducting remote interviews, and drafting reports. In all cases, human oversight and transparency are required. For example, assessors must inform clients if they plan to use AI tools, such as transcription software, during the assessment process.

If you’re unsure where to start or need guidance on aligning with these new expectations, contact our IT Assurance team today.