The PCI standards, although initially formulated by the card networks, are currently maintained by a more or less independent organization - The PCI Security Standards Council (www.pcisecuritystandards.org
The council is, of course, comprised of members of the industry, including the card networks themselves, as well as other stakeholders of the payment card system.
This is an industry mandate versus a government mandate/regulation and is our effort to maintain and enhance the integrity of the system as a whole.
Fraud costs everyone involved in the system an incredible amount of money each and every year (billions of dollars) and extends beyond “just” online payments – hence the need for everyone involved in the system, from the smallest card accepting merchant, to the largest processing banks, to be aware of and implement good security practices and policies to help mitigate the potential.
Is there often an expense involved with full compliance? Absolutely. Can it be burdensome to small businesses? Absolutely. Is it worth the time, energy, effort, and money? Absolutely.
Industry reports reveal that the majority of data breaches occur in a small business setting – you just don't hear as much about them because the individual numbers of compromised cardholder information is usually smaller per occurrence. but collectively account for a large percentage of the breaches and resulting fraud.
Small businesses should care about, and be willing to adhere to the standards, regardless of costs or inconvenience, for this reason if no other: the resulting loss of business and business reputation that occurs as a result of a data breach of any kind.
Add to this the potential for fines from the networks and the cost of a new PCI compliant piece of equipment or software package or implementing new policies or procedures designed to protect cardholder information, is minimal in comparison
Is adherence to the PCI standards a guarantee against breaches? Of course not. But it does provide a solid starting point to evaluate and implement sound data security practices across the entire payment card system.