Talk:Payment Card Industry Data Security Standard

From Wikipedia, the free encyclopedia
Jump to: navigation, search
          This article is of interest to the following WikiProjects:
WikiProject Business (Rated Start-class, Low-importance)
WikiProject icon This article is within the scope of WikiProject Business, a collaborative effort to improve the coverage of business articles on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
Start-Class article Start  This article has been rated as Start-Class on the project's quality scale.
 Low  This article has been rated as Low-importance on the project's importance scale.
 
WikiProject Computer Security / Computing  (Rated Start-class, Low-importance)
WikiProject icon This article is within the scope of WikiProject Computer Security, a collaborative effort to improve the coverage of computer security on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
Start-Class article Start  This article has been rated as Start-Class on the project's quality scale.
 Low  This article has been rated as Low-importance on the project's importance scale.
Taskforce icon
This article is supported by WikiProject Computing.
 
WikiProject London (Rated Start-class, Low-importance)
WikiProject icon This article is within the scope of WikiProject London, a collaborative effort to improve the coverage of London on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
Start-Class article Start  This article has been rated as Start-Class on the project's quality scale.
 Low  This article has been rated as Low-importance on the project's importance scale.
 

Terminology not clear for likely audience[edit]

In the first two sentences of the third paragraph:

 "Enforcement of compliance is done by the bodies holding relationships with the in-scope organizations. Thus, for organizations processing Visa or MasterCard transactions, compliance is enforced by the organization's acquirer, while organizations handling American Express transactions will deal directly with American Express for the purposes of compliance."
...the following three things are not clear to the likely audience:

1) What is an "in-scope" organization ?

2) What is an "organization's acquirer" ?

3) What are "bodies holding relationships with the in-scope organizations" ?


Grandmotherfrompeoria (talk) —Preceding undated comment added 15:56, 14 May 2010 (UTC).

"In-scope" system is "The boundaries and included area in which cardholder data resides." Probably what is meant here is a merchant or organization with an In Scope System, Cardholder Data Environment or PCI Scope Environment, all of which are the same.
"Organization's acquirer" is likely the acquiring bank used by the merchant. "An acquiring bank is the bank or financial institution that provides accounts to merchants and processes credit and debit card transactions on their behalf. A merchant account allows an organization or company to accept credit cards. The bank or financial institution then deposits the funds into the merchant's checking account."
Both definitions come from http://www.secureworks.com/compliance/pci/pci-compliance-glossary/

G J Lee (talk) 18:45, 6 December 2012 (UTC)

Compliance and compromises[edit]

The first and second paragraphs here are nonsense. The first paragraph claims it is a "common misconception" that PCI-compliant firms have had security breaches, without any citation, before introducing two cited examples of exactly that happening. The second paragraph essentially states that a compromise of a compliant system is probably due to a failure to maintain compliance and a failure of the assessor to assess compliance. It is suggested that neither of these failures are the fault of the standard, while dressing the standard as a victim using loaded words such as "blasting" to describe criticism. Most of this is also without citation.

Unless anyone disagrees, I'll be rewriting this section shortly. --Suction Man (talk) 17:04, 30 July 2014 (UTC)

Agreed, this section reads like the words of someone trying to defend the standard, but it's poorly written and the defenses seem to be unsourced, unlike the criticisms. This is a common point of contention though, so a reflection of the criticisms and defenses are still warranted here. If you can find sources for the "they weren't actually compliant at the time of the breach" defense, that would be ideal. Exponium (talk) 21:57, 30 July 2014 (UTC)

Improvements[edit]

Requirements:
"132 changes": this is meaningless. What are all these changes? How significant are they? Changes since which version, perhaps 1.0? Why version 2.0, when the current version is version 3.0.
"two new or evolving requirements", is this a case of the editor not knowing or is one "new" and one "evolving"?
"differing points from version 1.2" Why version 1.2? It would be better to have a table of the current requirements. And the " 220 sub-requirements" referred to later on in the article.
Changes and differences should be in the History section.
How to get started:
This is like a user manual. Needs rewriting from "you".
Mandated compliance:
This section should talk more about the enforcements and "fines and penalties" which are touched on in the controversies section.
Compliance and compromises:
This section slips into a long complicated legalese sentence. "Therefore…". It seems to be saying that passing the assessment is worthless; it doesn't provide any protection to the merchant.
"Level 1-3 merchants … Level 4" what are these levels?
Compliance as a snapshot:
"temporal persistence" = "permanence"
"the point in time when" = "when"? 87.112.4.153 (talk) 14:33, 13 February 2014 (UTC)

To extend the above, much of the article is written as a user guide rather than an encyclopedic article about the standard in question. I intend to remove the 'howto' tone entirely soon unless any objections are raised, as well as various sections that are outdated (referring to v1.x of the standard). Exponium (talk) 06:27, 3 April 2014 (UTC)