Talk:Payment Card Industry Data Security Standard/Archives/2012
This is an archive of past discussions about Payment Card Industry Data Security Standard. Do not edit the contents of this page. If you wish to start a new discussion or revive an old one, please do so on the current talk page. |
Link "PCIDSS"
For someone who knows how. Searching PCIDSS does not currently direct here --K
This page should be merged with "Payment Card Industry" --Grvfuel 15:41, 17 October 2007 (UTC)
I'm not entirely convinced - the PCI page should really just talk about the PCI and link off to the various standards they provide IMO. Otherwise as the number of standards they issue or maintain grows, the PCI page will become rather bloated. Random name 10:57, 18 October 2007 (UTC)
Added links to sources regarding PCI compliance, the recent visa international payment mandates. ~~Classof96 20:52, 5 November 2007
- The problem with these links - there are millions of information sources like these. I've not been editing long enough to know how we're meant to decide which to use, and which to leave. Random name 21:52, 7 November 2007 (UTC)
Is this international? 202.160.118.227 (talk) 06:20, 19 December 2007 (UTC)
Yes. The requirements are international. Also the PCI DSS 1.2 document is available in 10 languages as of today Friday, December 12, 2008. --Reconscout94 (talk) 03:10, 13 December 2008 (UTC)
Oversimplified and inaccurate
These two statements
A company processing, storing, or transmitting credit card numbers must be PCI DSS compliant or they risk losing the ability to process credit card payments. Merchants and service providers must validate compliance with an audit by a PCI DSS Qualified Security Assessor (QSA) Company.
are an oversimplification of the reality and not quite accurate. The truth is: an acquirer (say FirstUSA for the Visa credit card) might periodically ask a merchant (say Walmart) to answer (all/not all) questions within a number of questionnaires and execute a scanning test against vulnerabilities and threats on the merchant assets (computers, payment card readers, etc.) Then an auditor (internal or external) will review the answers and the results and solely decide whether the merchant is fully-partially-not compliant. It is not necessary that the auditor comes from a PCI DSS Qualified Security Assessor (QSA) Company.
The sentence The PCI DSS recognizes wireless LANs as public networks and automatically assumes they are a threat. is meaningless. The wireless LANs are not threats - rather they might be vulnerable and exposed to some threats.--Stagalj (talk) 18:45, 7 January 2008 (UTC)
PCI is regarded as being relatively more prescriptive than these other laws.[citation needed]
Other laws? PCI-DSS is not a law or a government regulation.--DrRisk13 (talk) 01:32, 31 January 2008 (UTC)
- You are right. I removed that sentence - a standard is not comparable to a law.--Stagalj (talk) 01:54, 2 February 2008 (UTC)
- Agreed, but in 2009 Nevada actually incorporated the standard into state law for merchants doing business in that state. See, Nevada Revised Statutes, Chap. 603A. --John M. DeMarco (talk) 20:47, 11 December 2010 (UTC)
Best Practices
The "best practice" section has needed a cite for ages now, and it's now also being filled with random ERP suggestions. I'm deleting it soon unless someone can find a cite for it. Random name (talk) 16:38, 11 July 2008 (UTC)
PCI DSS for Enterprise Software Users
This section appears to be a somewhat random SAP section which provides no refs outside of commercial links to registration-protected commercial whitepapers. On top of that, it strikes me as excessive levels of information for one product - unless this article intends to discuss the particulars of security for all major software releases one might encounter in an enterprise environment, this section needs removing. Any comments? Random name (talk) 10:04, 19 July 2008 (UTC)
Cleaning up links
Folks, I've cleaned a number of links out of this page - if you're wondering why, please have a look at WP:EL. As it states, Wikipedia isn't meant to be a collection of links, useful or otherwise. As such, I've removed the blog that was linked, the conference page, and the link to the payment security certification. Random name (talk) 08:07, 22 August 2008 (UTC)
- Can anyone say why the http://selfservice.talisma.com link is still on here. It's a website that frames the actual https://www.pcisecuritystandards.org/ website. Absolutely nothing unique or different about it. I would classify it as blatant spam! It should be removed.
3 Programs controlled by PCI SSC
There are 3 programs controlled by PCI SSc, that is PCI PED, PCI PA-DSS and PCI DSS. PCI PIN is still controlled by Visa. —Preceding unsigned comment added by 122.104.108.220 (talk) 13:29, 22 September 2008 (UTC)
Is this a worldwide standard?
The article does not mention if PCI-DSS applies worldwide, or only within the US. I imagine it can be used worldwide by the major CC companies, but does that happen in practice? —Preceding unsigned comment added by 201.43.190.132 (talk) 15:22, 25 November 2008 (UTC)
Yes, it's a global standard, and was started by a council including a number of global card brands. Progress has been slower in some areas of the world, but it's being applied everywhere. Random name (talk) 13:17, 26 November 2008 (UTC)
Additionally, page 3 of the PCI DSS 1.2 (October 2008) clearly states the "global" applicability in the very first sentence. —Preceding unsigned comment added by Reconscout94 (talk • contribs) 01:43, 13 December 2008 (UTC)
Verifying PCI compliance claims
The article would benefit from a section telling how to verify a company's claim that they are PCI compliant.129.219.58.3 (talk) 17:03, 8 January 2009 (UTC)
Move back to PCI DSS
Was this discussed before the move? It's not an acronym that really warrants expansion like this. Andy Dingley (talk) 02:03, 20 April 2009 (UTC)
- Hmm no, it wasn't discussed, as I thought it was a non-contentious move. Given that other comparable items such as HIPAA and SOX go to their full names, rather than the associated acronyms, what is special about PCI DSS? Random name (talk) 08:48, 20 April 2009 (UTC)
Add merchant qualification levels?
Would it be worth including the relevant details from the card vendors (roughly the same across the payment brands) that show how to work out what level merchant you are? Monkey Web Daemon (talk) 09:38, 17 February 2010 (UTC)
Controversies and criticisms
"It has been suggested by some IT security professionals that the PCI DSS does little more than provide a minimal baseline for security."
"...In contrast, others have suggested that PCI DSS is a step toward making all businesses pay more attention to IT security, even if minimum standards are not enough to completely eradicate security problems."
I don't see why "In contrast" is used. The two statements don't seem to disagree with each other. The two certainly indicate the importance of security, and also that these rules may not be enough to completely enforce and solve security problems. —Preceding unsigned comment added by Ibarrera (talk • contribs) 15:21, 20 August 2010 (UTC)
Terminology not clear for likely audience
In the first two sentences of the third paragraph:
"Enforcement of compliance is done by the bodies holding relationships with the in-scope organizations. Thus, for organizations processing Visa or MasterCard transactions, compliance is enforced by the organization's acquirer, while organizations handling American Express transactions will deal directly with American Express for the purposes of compliance."
...the following three things are not clear to the likely audience:
1) What is an "in-scope" organization ?
2) What is an "organization's acquirer" ?
3) What are "bodies holding relationships with the in-scope organizations" ?
Grandmotherfrompeoria (talk) —Preceding undated comment added 15:56, 14 May 2010 (UTC).
- "In-scope" system is "The boundaries and included area in which cardholder data resides." Probably what is meant here is a merchant or organization with an In Scope System, Cardholder Data Environment or PCI Scope Environment, all of which are the same.
- "Organization's acquirer" is likely the acquiring bank used by the merchant. "An acquiring bank is the bank or financial institution that provides accounts to merchants and processes credit and debit card transactions on their behalf. A merchant account allows an organization or company to accept credit cards. The bank or financial institution then deposits the funds into the merchant's checking account."
- Both definitions come from http://www.secureworks.com/compliance/pci/pci-compliance-glossary/