There were technical issues—such as segmentation and tokenization—that didn't get referenced, but also policy issues.
Why isn't there a more clear-cut appeal process, for retailers who believe their assessor is improperly interpreting the rules? Today, the council will try and address technical questions, but that rarely involves overruling an assessor. Visa has been known to get involved with a retailer who has an assessor complaint, but that's a very rare occurrence.
My personal favorite: Why no prohibition against conflict of interests, such as an assessor who rules that a particular kind of security device is needed and then tries to sell that device to the retailer?
The current PCI assessor guidelines require that the assessor tell the retailer of other vendors selling the same product or service, but that's not the point. If an assessor rules that cameras need to be aimed at every POS location and that personnel must watch that video output during all store hours, for example, and if his firm happens to sell that service, it will be so much easier to buy it from the assessor.
But the real conflict comes in the ruling. If the assessor knows he'll have an excellent shot at the business, won't that strongly influence him to rule that the equipment and personnel are required? If the assessor was prohibited from profiting from the purchase, might that indeed allow the assessor to make a more unbiased decision as to need?
Another weakness: the so-called safe harbor provision. That's the policy where a PCI-compliant retailer gets certain financial protections in the case of a breach. But if Visa and the bank brings in a cast of thousands after the breach and eventually finds a technical error, does that retailer have any protection? If not, then what's the point? If Visa and the issuing bank won't stand behind their own assessor's ruling, something is terribly wrong.