Talk:Payment Card Industry Data Security Standard/Archives/2014

Improvements
Requirements: "132 changes": this is meaningless. What are all these changes? How significant are they? Changes since which version, perhaps 1.0? Why version 2.0, when the current version is version 3.0. "two new or evolving requirements", is this a case of the editor not knowing or is one "new" and one "evolving"? "differing points from version 1.2" Why version 1.2? It would be better to have a table of the current requirements. And the " 220 sub-requirements" referred to later on in the article. Changes and differences should be in the History section. How to get started: This is like a user manual. Needs rewriting from "you". Mandated compliance: This section should talk more about the enforcements and "fines and penalties" which are touched on in the controversies section. Compliance and compromises: This section slips into a long complicated legalese sentence. "Therefore…". It seems to be saying that passing the assessment is worthless; it doesn't provide any protection to the merchant. "Level 1-3 merchants … Level 4" what are these levels? Compliance as a snapshot: "temporal persistence" = "permanence" "the point in time when" = "when"? 87.112.4.153 (talk) 14:33, 13 February 2014 (UTC)

To extend the above, much of the article is written as a user guide rather than an encyclopedic article about the standard in question. I intend to remove the 'howto' tone entirely soon unless any objections are raised, as well as various sections that are outdated (referring to v1.x of the standard). Exponium (talk) 06:27, 3 April 2014 (UTC)

Compliance and compromises
The first and second paragraphs here are nonsense. The first paragraph claims it is a "common misconception" that PCI-compliant firms have had security breaches, without any citation, before introducing two cited examples of exactly that happening. The second paragraph essentially states that a compromise of a compliant system is probably due to a failure to maintain compliance and a failure of the assessor to assess compliance. It is suggested that neither of these failures are the fault of the standard, while dressing the standard as a victim using loaded words such as "blasting" to describe criticism. Most of this is also without citation.

Unless anyone disagrees, I'll be rewriting this section shortly. --Suction Man (talk) 17:04, 30 July 2014 (UTC)


 * Agreed, this section reads like the words of someone trying to defend the standard, but it's poorly written and the defenses seem to be unsourced, unlike the criticisms. This is a common point of contention though, so a reflection of the criticisms and defenses are still warranted here. If you can find sources for the "they weren't actually compliant at the time of the breach" defense, that would be ideal. Exponium (talk) 21:57, 30 July 2014 (UTC)