Quote Originally Posted by squashrick View Post
It looks like the PCI DSS compliance must have changed as the self-assessment questionnaire now includes an eligibility clause that asks you to confirm that 'Merchant does not store any cardholder data in electronic format' (see attached partial screen shot of the questionnaire).

Any thoughts/comments anyone?
Those questions are not assessing PCI DSS compliance. They're assessing which assessment path must be taken. Most retail stores don't collect or cardholder information electronically. Unless you sign up for a loyalty scheme, you pay your money and walk away with your purchases, so they don't need it.

Online stores usually have to store some cardholder information. Names and addresses are useful for delivery, and in case of payment or stock query. This doesn't disqualify them from PCI compliance. Just means that they have to take steps to protect that data and therefore the short version of the self-assessment form isn't appropriate.