Is there some part of PCI auditing requirements that is getting misinterpreted by some auditors to demand this? Though in my experience with standards like this what auditors want to see and what the standards say often have only loose overlap anyhow.