[csirac2]

Woah. Precisely the reason that card networks and issuers have been so lax previously is that they want consumers and issuers to use their damn cards. Being painful to use for merchants and consumers is incompatible with that. Until now losses were small enough... Now, PCI assessment industry is such a profoundly small thing next to the losses and risk carried by issuers - let alone the sheer core business volumes at stake here - forgive me for feeling skeptical that the reasons for this security bump are anything other than stakeholders wanting to stem losses and reduce risk.

[StavrosK]

Wouldn't that happen by just making rules that led to people using third-party services, though? Why is it a requirement that you change users' passwords every 90 days (something which I outright don't want to do), or get audited once a year (which is a considerable expense for no actual feedback, other than running an automated tool)?

[csirac2]

Yes, we can argue that the content is less than perfect (are there really no permissible controls to get around 90day passwords, such as 2FA?), I'm just taking issue with the assumption that this is a conspiracy designed to line the pockets of QSAs (it's news to me that they provide zero feedback and business value - but then I'm not so close to PCI stuff).

Edit: I'm sure I've read that PCI 3 wasn't written in a vacuum - surely there is some trend in the data that's not visible to us that prompted the 90 day password thing (keyloggers for one, certain POS manufacturers using the same default passcodes on all their products for over 20 years another).

[StavrosK]

Maybe I'm wrong, but the few times I've had to fix PCI-scanned sites for compliance, the feedback was just whatever an external automated tool could find, which was almost nothing, and when you fixed the few warnings in the otherwise abysmal codebase, you got the approval.