Talk:Payment Card Industry Data Security Standard
|This article is of interest to the following WikiProjects:|
Terminology not clear for likely audience
In the first two sentences of the third paragraph:
"Enforcement of compliance is done by the bodies holding relationships with the in-scope organizations. Thus, for organizations processing Visa or MasterCard transactions, compliance is enforced by the organization's acquirer, while organizations handling American Express transactions will deal directly with American Express for the purposes of compliance."
...the following three things are not clear to the likely audience:
1) What is an "in-scope" organization ?
2) What is an "organization's acquirer" ?
3) What are "bodies holding relationships with the in-scope organizations" ?
- "In-scope" system is "The boundaries and included area in which cardholder data resides." Probably what is meant here is a merchant or organization with an In Scope System, Cardholder Data Environment or PCI Scope Environment, all of which are the same.
- "Organization's acquirer" is likely the acquiring bank used by the merchant. "An acquiring bank is the bank or financial institution that provides accounts to merchants and processes credit and debit card transactions on their behalf. A merchant account allows an organization or company to accept credit cards. The bank or financial institution then deposits the funds into the merchant's checking account."
- Both definitions come from http://www.secureworks.com/compliance/pci/pci-compliance-glossary/
Compliance and compromises
The first and second paragraphs here are nonsense. The first paragraph claims it is a "common misconception" that PCI-compliant firms have had security breaches, without any citation, before introducing two cited examples of exactly that happening. The second paragraph essentially states that a compromise of a compliant system is probably due to a failure to maintain compliance and a failure of the assessor to assess compliance. It is suggested that neither of these failures are the fault of the standard, while dressing the standard as a victim using loaded words such as "blasting" to describe criticism. Most of this is also without citation.
- Agreed, this section reads like the words of someone trying to defend the standard, but it's poorly written and the defenses seem to be unsourced, unlike the criticisms. This is a common point of contention though, so a reflection of the criticisms and defenses are still warranted here. If you can find sources for the "they weren't actually compliant at the time of the breach" defense, that would be ideal. Exponium (talk) 21:57, 30 July 2014 (UTC)
"132 changes": this is meaningless. What are all these changes? How significant are they? Changes since which version, perhaps 1.0? Why version 2.0, when the current version is version 3.0.
"two new or evolving requirements", is this a case of the editor not knowing or is one "new" and one "evolving"?
"differing points from version 1.2" Why version 1.2? It would be better to have a table of the current requirements. And the " 220 sub-requirements" referred to later on in the article.
Changes and differences should be in the History section.
How to get started:
This is like a user manual. Needs rewriting from "you".
This section should talk more about the enforcements and "fines and penalties" which are touched on in the controversies section.
Compliance and compromises:
This section slips into a long complicated legalese sentence. "Therefore…". It seems to be saying that passing the assessment is worthless; it doesn't provide any protection to the merchant.
"Level 1-3 merchants … Level 4" what are these levels?
Compliance as a snapshot:
"temporal persistence" = "permanence"
"the point in time when" = "when"? 126.96.36.199 (talk) 14:33, 13 February 2014 (UTC)
To extend the above, much of the article is written as a user guide rather than an encyclopedic article about the standard in question. I intend to remove the 'howto' tone entirely soon unless any objections are raised, as well as various sections that are outdated (referring to v1.x of the standard). Exponium (talk) 06:27, 3 April 2014 (UTC)