"The main reason PCI exists is that there are tens of thousands of merchants who don't understand the basics of information security and weren't even taking the very minimum steps to secure their networks and the credit card information they stored.
... PCI pushes that burden downstream and forces merchants to take on a preventative role rather than a reactive role. They have to put in a properly configured firewall, encrypt sensitive information and maintain a minimum security stance or be fined by their merchant banks. By forcing this to be an issue about prevention rather than reaction, the credit card companies have taken the bulk of the financial burden off of themselves and placed it on the merchants, which is where much of it belongs anyways.
A company is known by the men it keeps.