To address this, the PCI Security Standards Council has decided to implement a new extended questionnaire for merchants. This is the Self-Assessment Questionnaire A-EP (SAQ A-EP), which will have around 140 questions, compared to the 14 questions in the traditional SAQ A. In addition, the new extended SAQ A-EP mandates merchants to undergo regular penetration testing, which is common in the service provider space. This presents a major hurdle for merchants, particularly smaller ones, both financially and operationally.