Re: I bet it's even less in reality...
The problem is that the questionnaire is set up to where you have to answer "yes" on everything to pass. A single "no" means that you fail.
I work in IT security. I hold several IT security certifications, and have over 25 years of experience in IT. I can honestly say that it is completely unrealistic to be able to answer "yes" to 100% of the questions on the PCI questionnaire.
You read the thing, and keep thinking to yourself, that this must have been written by a group of Academics that have never worked in an actual business and have met real human beings.
The only way to answer "yes" to 100% of the questionnaire would be to close the business and lock up all of the servers in a vault somewhere. This is where the "clicking yes to everything" (the AC above mentioned) comes from.
I do completely agree with the spirit of what PCI DSS is trying to do. And I agree that as much as 90% of what is being asked is essential to security. The problem is the 10% that is not going to happen in most operating businesses.
I will also point out that most of the major breaches of credit card information happened at companies that were PCI Level 1 compliant at the time of the breach. That one fact right there shows what a useless exercise PCI really is.