[carpeperdiem]

Of course they have access to account data. That doesn't mean they can see an encrypted password. That's the point of this -- OF COURSE the merchant or bank NEEDS to have 100% access to all account data -- but the customer password will and should always remain encrypted. We've all had password issues of some sort over the years - and most systems are designed to NOT let a call center or admin in the backend EVER see a customer password. TO protect the merchant as much as the customer.
That's the point. Not about a call center flunky knowing your checking account balance -- the systems are designed to prevent passwords from being visible to anyone but you. And if our system permits this, then golly geez it's time to fix this design flaw immediately.

I can't think of ANY circumstances where an admin needs to know the actual password of a customer. There are NO situations where this is needed. Period. In the case of a forgotton password, use password recovery. In the case of a username or email address change, use the admin, force a new temp password with a required password change on first login. I don't EVER want to know my customers passwords. I expect this security hole to be patched.

Can we declare this a product default?
Do the PCI folks care about this "feature"