Dave Vroman (2/19/2013)
It totally depends on the level of PCI compliance. I don't remember where it was and I am no longer at that company. It was not specifically spelled out in the compliance papers, but it was required by the company that was testing for compliance.
Sounds like the auditor was just making stuff up.
Not that I think using stored procedures is a bad thing, but this sort of thing is why I have very little respect for firms that do PCI, SAS70, SOX, etc. audits.
My experience is that they zoom in on petty items while they ignore or don't even understand serious problems.