last century we were tangentially involved in the cal. state data breach notification legislation. we had been brought in to help word-smith the cal. state electronic signature legislation and several of the other participants were heavily into privacy issues. They had done detailed, in-depth citizen surveys and the no.1 issue was "identity theft" ... primarily the form of "account fraud" with fraudulent financial transactions as a result of crooks harvesting transaction details from skimming, data breaches, etc.

The standard issue is "security" is normally motivates an entity to protect their own assets. The issue with "account fraud" and "data breaches" were the institutions experiencing the breaches had little or nothing at "risk" (it was individuals and their transactions, that were at risk) and as a result little or nothing appeared to being done. It was hoped that the publicity from data breach notifications would result in corrective actions by the institutions (as well as giving individuals opportunity to take their own countermeasures)

PCI effort seem to start not long after the cal. data breach notification legislation was passed ... and seemed to go along with industry calls to repeal breach notifications (because of industry efforts like PCI). There have been numerous federal "notifications" bills introduced since then ... about evenly divided between requiring similar requirements to the cal. notification legislation and "federal preemption" notification bills that would eliminate most notification requirements

"Problem solved. I wonder what the price of the kill-switch is, without the audit?"

It's been a couple years since I have dealt with PCI-DSS ('08) so it may have changed but the price used to be where the financial burden of recovery fell, i.e. the required every couple months Visa auditors you have to pay for, the reissuing of cards, etc etc. If you were PCI compliant it fell on the next level up in the PCI issuing/processing hierarchy (as theoretically the outside auditors you hired reported to them and they had a responsibility to review your audit results and reject/accept them) whereas if you weren't it fell directly on you. The incentive (in theory) was suppose to be between the price of compliance with your issuer/processor and your local issuer. I know personally of one middle market client (~$300 million in revenue annually) that conscientiousness decided to simply insure against a PCI event over complying once they ran the numbers on PCI-DSS compliance post-QSA audit results. You could maybe argue the insurance company who did their policy didn't adequately capture the risk but I have doubts on that.

Ofc this all fails from a security perspective but makes perfect business sense.