Talk:Payment Card Industry Data Security Standard

Wiki Education Foundation-supported course assignment
This article was the subject of a Wiki Education Foundation-supported course assignment, between 30 October 2018 and 11 December 2018. Further details are available on the course page. Student editor(s): Gl1147. Peer reviewers: Gl1147.

Above undated message substituted from Template:Dashboard.wikiedu.org assignment by PrimeBOT (talk) 06:17, 17 January 2022 (UTC)

Removal of section "Risk management to protect cardholder data"
While I generally try to WP:BEBOLD, I think the removal of this section requires some notice. There's a number of problems with the inclusion of this section that, in my opinion, warrant full removal. Absent any other comments, I will eventually remove this. Here's my justification.

The section starts talking about risk management. Risk management programs are defined under requirement 12, but instead the article discusses requirement 3, which is about controls protecting *stored* data. It also seems to be fixated on HSMs, which are are relevant generally for PCI, but are not discussed at all in the PCI DSS. Finally, the risk management "steps" do not coincide remotely with what exist under the req 12 risk management processes.

Those are the basic problems with what exists currently.

But in the end, the larger reason I think this should be removed, is that it picks one/two specific detailed areas to focus on in terms of the actual requirements, while the rest of the article only discusses high-level issues. From my standpoint, it's not feasible (without more editor interest) to get into detailed discussions about particular PCI DSS requirements, so we should stick with a high-level discussion instead.

DoubleRelevance (talk) 07:24, 15 August 2023 (UTC)
 * The lack of independent sourcing makes the section even more dubious. — BillHPike (talk, contribs) 17:54, 17 August 2023 (UTC)
 * I've gone ahead and removed the section. I'll also comment, sourcing is a problem with this topic in general, because essentially you can only find primary sources or non-independent secondary sources for support of the content. The PCI Council promulgates the rules, and certifies companies to be authorities on the interpretation of the rules (though card brands and merchant banks are also authorities). So under Wikipedia rules, most secondary sources get reverted immediately for not being independent. Which I'm not saying is bad or wrong, it's just an unfortunate effect of the system under which the PCI DSS operates. DoubleRelevance (talk) 02:57, 2 September 2023 (UTC)