The choice of whether the self-assessment option is available to Level 1 merchants varies by card brand, but Visa is now selectively permitting it. Officially, the issuing bank and the card brand must agree before a Level 1 is given the self-assessment permission and it's often approved for re-certification, once a retailer has already been certified PCI compliant.
David Taylor, president of the PCI Vendor Alliance and a certified third-party assessor, said that he has no problem with the Visa move.
"I really don't see an issue with the 'third party' role of the auditor since, if there is a breach post-audit, the merchant really owns the liability anyway," he said. "Many PCI auditors are small firms, so any customers or banks will litigate against the merchant anyway, so why shouldn't they own the audit process and its associated liability?"