[rcxdude]

Is there some part of PCI auditing requirements that is getting misinterpreted by some auditors to demand this? Though in my experience with standards like this what auditors want to see and what the standards say often have only loose overlap anyhow.

[SpicyLemonZest]

It's pretty counterintuitive from an auditing perspective. If the PCI standards require server racks to be painted red, it's entirely normal for an auditor to ask to see them, and very suspicious for you to say that they're in an encrypted box where nobody can check if they're red or not. I don't mean to excuse it, but I can understand how the error happens.

[rcxdude]

This is true. Maybe it's someone seeing a requirement like "all passwords must conform to these rules" and deciding that it means they need to check them directly, instead of looking at the systems that enforce that constraint.