Talk:Payment Card Industry Data Security Standard

From Wikipedia, the free encyclopedia
Jump to: navigation, search
WikiProject Business (Rated C-class)
WikiProject icon This article is within the scope of WikiProject Business, a collaborative effort to improve the coverage of business articles on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
C-Class article C  This article has been rated as C-Class on the project's quality scale.
 ???  This article has not yet received a rating on the project's importance scale.
WikiProject Computer Security / Computing  (Rated Start-class)
WikiProject icon This article is within the scope of WikiProject Computer Security, a collaborative effort to improve the coverage of computer security on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
Start-Class article Start  This article has been rated as Start-Class on the project's quality scale.
 ???  This article has not yet received a rating on the project's importance scale.
Taskforce icon
This article is supported by WikiProject Computing.

Link "PCIDSS"[edit]

For someone who knows how. Searching PCIDSS does not currently direct here --K

Done. --Clay Collier 07:12, 4 April 2007 (UTC)

This page should be merged with "Payment Card Industry" --Grvfuel 15:41, 17 October 2007 (UTC)

I'm not entirely convinced - the PCI page should really just talk about the PCI and link off to the various standards they provide IMO. Otherwise as the number of standards they issue or maintain grows, the PCI page will become rather bloated. Random name 10:57, 18 October 2007 (UTC)

Added links to sources regarding PCI compliance, the recent visa international payment mandates. ~~Classof96 20:52, 5 November 2007

The problem with these links - there are millions of information sources like these. I've not been editing long enough to know how we're meant to decide which to use, and which to leave. Random name 21:52, 7 November 2007 (UTC)

Is this international? (talk) 06:20, 19 December 2007 (UTC)

Yes. The requirements are international. Also the PCI DSS 1.2 document is available in 10 languages as of today Friday, December 12, 2008. --Reconscout94 (talk) 03:10, 13 December 2008 (UTC)

Oversimplified and inaccurate[edit]

These two statements
A company processing, storing, or transmitting credit card numbers must be PCI DSS compliant or they risk losing the ability to process credit card payments. Merchants and service providers must validate compliance with an audit by a PCI DSS Qualified Security Assessor (QSA) Company.
are an oversimplification of the reality and not quite accurate. The truth is: an acquirer (say FirstUSA for the Visa credit card) might periodically ask a merchant (say Walmart) to answer (all/not all) questions within a number of questionnaires and execute a scanning test against vulnerabilities and threats on the merchant assets (computers, payment card readers, etc.) Then an auditor (internal or external) will review the answers and the results and solely decide whether the merchant is fully-partially-not compliant. It is not necessary that the auditor comes from a PCI DSS Qualified Security Assessor (QSA) Company.

The sentence The PCI DSS recognizes wireless LANs as public networks and automatically assumes they are a threat. is meaningless. The wireless LANs are not threats - rather they might be vulnerable and exposed to some threats.--Stagalj (talk) 18:45, 7 January 2008 (UTC)

PCI is regarded as being relatively more prescriptive than these other laws.[citation needed]

Other laws? PCI-DSS is not a law or a government regulation.--DrRisk13 (talk) 01:32, 31 January 2008 (UTC)

You are right. I removed that sentence - a standard is not comparable to a law.--Stagalj (talk) 01:54, 2 February 2008 (UTC)
Agreed, but in 2009 Nevada actually incorporated the standard into state law for merchants doing business in that state. See, Nevada Revised Statutes, Chap. 603A. --John M. DeMarco (talk) 20:47, 11 December 2010 (UTC)

Best Practices[edit]

The "best practice" section has needed a cite for ages now, and it's now also being filled with random ERP suggestions. I'm deleting it soon unless someone can find a cite for it. Random name (talk) 16:38, 11 July 2008 (UTC)

PCI DSS for Enterprise Software Users[edit]

This section appears to be a somewhat random SAP section which provides no refs outside of commercial links to registration-protected commercial whitepapers. On top of that, it strikes me as excessive levels of information for one product - unless this article intends to discuss the particulars of security for all major software releases one might encounter in an enterprise environment, this section needs removing. Any comments? Random name (talk) 10:04, 19 July 2008 (UTC)

Cleaning up links[edit]

Folks, I've cleaned a number of links out of this page - if you're wondering why, please have a look at WP:EL. As it states, Wikipedia isn't meant to be a collection of links, useful or otherwise. As such, I've removed the blog that was linked, the conference page, and the link to the payment security certification. Random name (talk) 08:07, 22 August 2008 (UTC)

Can anyone say why the link is still on here. It's a website that frames the actual website. Absolutely nothing unique or different about it. I would classify it as blatant spam! It should be removed.

3 Programs controlled by PCI SSC[edit]

There are 3 programs controlled by PCI SSc, that is PCI PED, PCI PA-DSS and PCI DSS. PCI PIN is still controlled by Visa. —Preceding unsigned comment added by (talk) 13:29, 22 September 2008 (UTC)

Is this a worldwide standard?[edit]

The article does not mention if PCI-DSS applies worldwide, or only within the US. I imagine it can be used worldwide by the major CC companies, but does that happen in practice? —Preceding unsigned comment added by (talk) 15:22, 25 November 2008 (UTC)

Yes, it's a global standard, and was started by a council including a number of global card brands. Progress has been slower in some areas of the world, but it's being applied everywhere. Random name (talk) 13:17, 26 November 2008 (UTC)

Additionally, page 3 of the PCI DSS 1.2 (October 2008) clearly states the "global" applicability in the very first sentence. —Preceding unsigned comment added by Reconscout94 (talkcontribs) 01:43, 13 December 2008 (UTC)

Verifying PCI compliance claims[edit]

The article would benefit from a section telling how to verify a company's claim that they are PCI compliant. (talk) 17:03, 8 January 2009 (UTC)

Move back to PCI DSS[edit]

Was this discussed before the move? It's not an acronym that really warrants expansion like this. Andy Dingley (talk) 02:03, 20 April 2009 (UTC)

Hmm no, it wasn't discussed, as I thought it was a non-contentious move. Given that other comparable items such as HIPAA and SOX go to their full names, rather than the associated acronyms, what is special about PCI DSS? Random name (talk) 08:48, 20 April 2009 (UTC)

Add merchant qualification levels?[edit]

Would it be worth including the relevant details from the card vendors (roughly the same across the payment brands) that show how to work out what level merchant you are? Monkey Web Daemon (talk) 09:38, 17 February 2010 (UTC)

Terminology not clear for likely audience[edit]

In the first two sentences of the third paragraph:

 "Enforcement of compliance is done by the bodies holding relationships with the in-scope organizations. Thus, for organizations processing Visa or MasterCard transactions, compliance is enforced by the organization's acquirer, while organizations handling American Express transactions will deal directly with American Express for the purposes of compliance."
...the following three things are not clear to the likely audience:

1) What is an "in-scope" organization ?

2) What is an "organization's acquirer" ?

3) What are "bodies holding relationships with the in-scope organizations" ?

Grandmotherfrompeoria (talk) —Preceding undated comment added 15:56, 14 May 2010 (UTC).

"In-scope" system is "The boundaries and included area in which cardholder data resides." Probably what is meant here is a merchant or organization with an In Scope System, Cardholder Data Environment or PCI Scope Environment, all of which are the same.
"Organization's acquirer" is likely the acquiring bank used by the merchant. "An acquiring bank is the bank or financial institution that provides accounts to merchants and processes credit and debit card transactions on their behalf. A merchant account allows an organization or company to accept credit cards. The bank or financial institution then deposits the funds into the merchant's checking account."
Both definitions come from

G J Lee (talk) 18:45, 6 December 2012 (UTC)

Controversies and criticisms[edit]

"It has been suggested by some IT security professionals that the PCI DSS does little more than provide a minimal baseline for security."
"...In contrast, others have suggested that PCI DSS is a step toward making all businesses pay more attention to IT security, 
 even if minimum standards are not enough to completely eradicate security problems."

I don't see why "In contrast" is used. The two statements don't seem to disagree with each other. The two certainly indicate the importance of security, and also that these rules may not be enough to completely enforce and solve security problems. —Preceding unsigned comment added by Ibarrera (talkcontribs) 15:21, 20 August 2010 (UTC)

Compliance and compromises[edit]

The first and second paragraphs here are nonsense. The first paragraph claims it is a "common misconception" that PCI-compliant firms have had security breaches, without any citation, before introducing two cited examples of exactly that happening. The second paragraph essentially states that a compromise of a compliant system is probably due to a failure to maintain compliance and a failure of the assessor to assess compliance. It is suggested that neither of these failures are the fault of the standard, while dressing the standard as a victim using loaded words such as "blasting" to describe criticism. Most of this is also without citation.

Unless anyone disagrees, I'll be rewriting this section shortly. --Suction Man (talk) 17:04, 30 July 2014 (UTC)

Agreed, this section reads like the words of someone trying to defend the standard, but it's poorly written and the defenses seem to be unsourced, unlike the criticisms. This is a common point of contention though, so a reflection of the criticisms and defenses are still warranted here. If you can find sources for the "they weren't actually compliant at the time of the breach" defense, that would be ideal. Exponium (talk) 21:57, 30 July 2014 (UTC)


"132 changes": this is meaningless. What are all these changes? How significant are they? Changes since which version, perhaps 1.0? Why version 2.0, when the current version is version 3.0.
"two new or evolving requirements", is this a case of the editor not knowing or is one "new" and one "evolving"?
"differing points from version 1.2" Why version 1.2? It would be better to have a table of the current requirements. And the " 220 sub-requirements" referred to later on in the article.
Changes and differences should be in the History section.
How to get started:
This is like a user manual. Needs rewriting from "you".
Mandated compliance:
This section should talk more about the enforcements and "fines and penalties" which are touched on in the controversies section.
Compliance and compromises:
This section slips into a long complicated legalese sentence. "Therefore…". It seems to be saying that passing the assessment is worthless; it doesn't provide any protection to the merchant.
"Level 1-3 merchants … Level 4" what are these levels?
Compliance as a snapshot:
"temporal persistence" = "permanence"
"the point in time when" = "when"? (talk) 14:33, 13 February 2014 (UTC)

To extend the above, much of the article is written as a user guide rather than an encyclopedic article about the standard in question. I intend to remove the 'howto' tone entirely soon unless any objections are raised, as well as various sections that are outdated (referring to v1.x of the standard). Exponium (talk) 06:27, 3 April 2014 (UTC)