PCI Council Ditches Outdated 3-Year-Old Self-Assessment Forms

In a move applauded by credit card data security consultants, the PCI Security Standards Council on Wednesday dropped a lengthy older document with a series of shorter forms, but only for those retailers who self-assess.

"This is very good news for most retailers who were struggling with the previous questionnaire and PCI process," said Gartner security analyst Avivah Litan. "The questionnaire this set replaces was out of line with the revised standard and was in dire need of synchronization with the standard itself. The old questionnaire was a left over from the old VISA CISP standard and did not incorporate changes that were made since the PCI DSS standard was established. This in of itself led to lots of confusion."

A key change is that the new forms will address more of today's methods for processing credit card payments.

"The standard is finally aligned with reality. Small merchants like dry cleaners and dentist offices with dial up modems and imprint machines don't have to answer how they satisfy 234 complex security requirements in order to accept credit or debit cards. Instead, they only have to answer 21 questions that apply to their environment," Gartner's Litan said. "Similarly, ecommerce merchants who outsource all of their payment processing functions don't have to answer meaningless questions about how they protect stored card data at rest, and now only need to answer 11 basic and appropriate questions."

Another security consultant, David Taylor, president of the PCIAllliance group, also applauded the changes to the self-assessment questionnaire (SAQ).

"I think the new SAQ will solve the problem of some types of merchants ignoring PCI compliance because their type of business wasn't adequately addressed by the original SAQ," Taylor said. "Apart from that, I don't see the SAQ as a problem solver, but rather a clarifier of PCI's applicability."

Steve Rowen, the security analyst for RSR Research, said he liked the move because of the rampant confusion the earlier version created.

"Previously, for any retailer at the Level 2 or lower status, there was one standardized form for self-assessment. This ‘one-size-fits-all' model was 11 pages long, 200 plus questions, and left a lot of small and mid-sized retailers scratching their heads saying, ‘how does this pertain to me?'" Rowen said. "The new SAQ is much more in line with the DSS, and is significantly easier, particularly for mom and pop shops to complete."