PCI-DSS doesn't exist in isolation
but needs to be hooked into a national regulator that has the teeth. Primarily in the UK, that being the FCA (formerly FSA). Who have the power of fine, and are certainly not afraid to use it. I really wouldn't want to be working for anyone who suffered a breach in the UK. PCI approved, or not.
If the regulator is useless, then there's no incentive to comply with PCI.
Biting the hand that feeds IT
