The Future of AI in PCI Assessments: A Step Too Far or the Next Evolution?

I've just come off a call discussing the use of Artifical Intelligance (AI) in PCI assessments and how far we think it could go. Could we ever reach a point where AI is not just an assistant but fully replaces the QSA? The use of AI-driven tools to review policies and standards is already emerging, but as technology advances, could AI be accepted as a trusted assessor capable of conducting interviews, reviewing evidence, and making compliance determinations?

Will AI ever fully conduct a PCI assessment, including challenging questioning, or will human auditors always remain essential? If AI were to take on this role, what would we even call an AI QSA? Would it need to undergo annual exams like human QSAs and ISAs to maintain its certification? These are big questions for the industry as we consider the balance between technological capability and regulatory trust.

AI in Policy and Evidence Review

Today, AI can assist with reviewing documentation, detecting anomalies, and ensuring consistency in policy alignment. AI tools can scan policies and highlight gaps against PCI DSS requirements far quicker than human assessors. But what about evidence review? Could AI ever reach a point where it can verify whether submitted artefacts meet assessment criteria?

Imagine an AI system analysing firewall configurations, patch management records, and vulnerability scans. Could it identify compliance and provide justifications for its actions? To reach this level of skill, AI might need to be more advanced, maybe even agentic AI, which means AI that understands context and reasons and improves its own way of assessing things on its own.

Can AI Conduct Interviews and Ask Probing Questions?

One of the most challenging aspects of a PCI DSS assessment is the interview process. QSAs are required to pose insightful questions, scrutinise responses, and raise concerns when necessary. Could AI ever replicate this? An AI system might be able to generate relevant questions based on documentation and evidence, but would it have the intuition to sense when something is off? Could it identify a hesitant response and probe further?

A future scenario could involve AI avatars conducting live interviews with IT security teams, network administrators, and business executives, asking questions about network segmentation, patching, end-of-life system risks, and penetration testing results. But would organisations trust AI to detect deception or assess confidence levels the way human auditors do?

Acceptance: Would the PCI Council Allow It?

Even if AI reaches a level where it can technically perform a full PCI assessment, would the PCI Security Standards Council (SSC) and its Executive Committee (VISA, Mastercard, Amex, Diners Club, JCB, and Union Pay) allow AI-led audits?

Pre-COVID, QSAs had to be on-site for face-to-face interviews and physical reviews. The pandemic forced a shift to remote assessments, but only under strict conditions, such as:

• Cameras on for interviews and identity verification.
• Live video walkthroughs for data centre inspections.
• Supplemental testing to ensure remote audits met the same standards as in-person reviews.

If AI were to conduct assessments, the PCI SSC might demand rigorous validation processes, ensuring that AI-driven assessments meet or exceed human-led testing standards. Would AI need to undergo a form of "QSA certification" before being trusted?

Will AI Replace QSAs and Auditors?

With the rise of AI in automation, many industries face job displacement concerns. But is the role of a QSA or auditor safe? Certain professions require human intuition, scepticism, and professional judgement, qualities AI struggles to replicate. While AI can enhance and streamline assessments, QSAs may evolve into AI supervisors, interpreting AI-generated findings and making final compliance determinations.

In the next 5–10 years, we might see:

• AI tools handling document reviews and evidence validation.
• 100% sampling instead of selective sampling.
• AI-assisted interviews with human oversight.

However, full replacement of QSAs and auditors seems unlikely—at least without significant regulatory shifts.

Use Cases for AI in Compliance Assessments

Beyond PCI DSS, AI could reshape compliance across other standards like ISO 27001 and HIPAA:

• ISO 27001 Audits: AI could analyse ISMS documentation, security logs, and risk assessments, ensuring compliance with Annex A controls.
• HIPAA Audits: AI could scan medical systems for PHI security risks, review access control logs, and check encryption levels.
• Continuous Compliance Monitoring: Instead of point-in-time assessments, AI could provide real-time compliance assurance, detecting risks as they emerge.

The Future: AI-Assisted, Not AI-Led?

While AI will play an increasing role in compliance, it’s more likely that AI will augment rather than replace human auditors. AI-driven PCI assessments might look like:

• AI handling initial reviews, generating risk reports, and flagging anomalies.
• QSAs focusing on higher-level analysis, decision-making, and complex interviews.
• AI enabling continuous compliance, reducing reliance on annual assessments.

Final Thoughts

As AI capabilities grow, the industry must decide how far it is willing to trust AI in compliance assessments. The shift from manual to AI-assisted assessments is inevitable, but a fully AI-led PCI assessment still seems distant. The PCI SSC and card brands will need to carefully consider the balance between innovation and maintaining the integrity of the assessment process.

Would you trust an AI to conduct your PCI assessment? How do you see AI reshaping the future of compliance? Let’s discuss!

#AI #PCICompliance #CyberSecurity #AIinAudit #Fintech #DigitalTransformation #ComplianceAutomation #FutureOfAudit #QSARole #RiskManagement

Disclaimer:

The views and opinions expressed in this LinkedIn article are solely my own and do not necessarily reflect the views, opinions, or policies of my current or any previous employer, organisation, or any other entity I may be associated with.