We have four retail clothing stores. Each store is scanned by the card processor once a quarter. Once a year I have to fill out a Self Assessment Questionnaire which addresses the default password issue among other things. It's a royal pain in the ass. I failed scans in the past for having our systems locked down so tight that the scans were blocked. That seemed ideal to me, but the processor saw it differently. I had to white-list their ip range.