[StavrosK]

Wouldn't that happen by just making rules that led to people using third-party services, though? Why is it a requirement that you change users' passwords every 90 days (something which I outright don't want to do), or get audited once a year (which is a considerable expense for no actual feedback, other than running an automated tool)?

[csirac2]

Yes, we can argue that the content is less than perfect (are there really no permissible controls to get around 90day passwords, such as 2FA?), I'm just taking issue with the assumption that this is a conspiracy designed to line the pockets of QSAs (it's news to me that they provide zero feedback and business value - but then I'm not so close to PCI stuff).

Edit: I'm sure I've read that PCI 3 wasn't written in a vacuum - surely there is some trend in the data that's not visible to us that prompted the 90 day password thing (keyloggers for one, certain POS manufacturers using the same default passcodes on all their products for over 20 years another).

[StavrosK]

Maybe I'm wrong, but the few times I've had to fix PCI-scanned sites for compliance, the feedback was just whatever an external automated tool could find, which was almost nothing, and when you fixed the few warnings in the otherwise abysmal codebase, you got the approval.