Self-certification (wrong term, but I can't think of the right one at the moment) can only be done by smaller companies who handle a smaller number of transactions every year. Large companies have to be audited by a certified QSA.
The only problem is that the actual requirements in PCI DSS are a bit vague in places, and what you need to do to achieve compliance depends on the interpretation of the QSA. Sony's lawyers will just end up saying that they were compliant so long as you squint at it from the right angle. |