That's right. A survey conducted by the Ponemon Institute, and backed by security firm Imperva, says that the vast majority of firms don't view the Payment Card Industry Data Security Standard (PCI DSS) as a strategic initiative.
That data hints that incurring the cost of a breach is cheaper than protecting systems and data. So does the finding that 60% of respondents don’t think they have sufficient resources to comply with PCI DSS or to reach a necessary level of cardholder security.
So what happens when security isn't treated as a "strategic initiative" by a broad swath of the business community? You get what we have today, and that's the near daily news reports of credit card, financial, and other personal data being breached.
The sad fact is that PCI DSS compliance should be considered a security baseline -- not the ultimate objective, which would be a secure infrastructure. It seems many companies, most in fact, aren't even willing to make the investment required to hit bare minimum.

The full article is available at InformationWeek's Security Weblog.