Actually there is a fiscal reason that doesn't have anything to do with profit directly, but the cost of regulatory compliance. I work for a small electric utility that takes online credit card payments and payments via phone. If people understood how much it costs us in time and equipment to maintain regulatory compliance for PCI/DSS alone they might stop asking some of these questions. We spend hundreds of person hours a year to maintain our ability to provide this service to our customers. We have to perform regular internal audits. We have to perform vulnerability assessments and mitigation specifically related to PCI compliance that we would not otherwise have to mitigate. We have to pay for external audits. We have to maintain, audit, track, systems that are there specifically so that we are PCI compliant. Systems that duplicate other perfectly acceptable and functional systems but those systems don't meet certain criteria that make them 'compliant'. Failure to maintain the correct paperwork, audits, assessments, equipment, and documentation for all of the above (yes we have a paper trail to document our paperwork) can result in fines or loss of our ability to accept payments via online or phone. We only have about 40,000 customers but we dedicate close to $100,000 year in hours, and this doesn't include additional firewalls and network infrastructure capital and maintenance costs.

These regulatory burdens apply to ANY entity that accepts credit cards or e-check via phone or online. So whether you see the figure as a line item or not, you are paying for it.

I have to concur with this. In 91 or 92 (I don't remember for sure) I was one of the early group of individuals who downloaded the original PGP that Phil Zimmerman wrote from an online bulletin board. I hung onto that file until several years after the USG decided to drop the whole mess. I've advocated for global adoption of email signing (would substantially reduce the spam problem), and I've been a strong proponent of the general use of encryption and key exchange for email. Over the last couple decades I've implemented email encryption (primarily for signing) off and on, always abandoning it after a while because the percentage of people utilizing it just gets smaller each year. When I do have need to transmit encrypted files (which I do several times a year), I encrypt the files out of band (i.e. not in email) using GnuPG or OpenPGP (PGPi), and I perform the key exchange (if I don't have it) via another method. Then I email the encrypted file as an attachment, or in some cases use SFTP/SCP over ToR to transfer the encrypted data file.

ISC(2) CISSP if you are on a Management or InfoSec track, SANS GSEC, GCIH, GCFA, GAWN would be my top choices for more technical/practical track.