Good point here:
PCI compliance mandate's power raises conflict-of-interest questions, 11/08/07: Businesses accepting credit cards have to assure their networks are secured according to the Payment Card Industry Data Security Standard, and to achieve that, they often make security investments based on the advice of the organization setting the standard and its 60 or so qualified security assessors empowered to judge whether a business is PCI compliant or not.
http://www.networkworld.com/news/2007/110807-pci-compliance.html?nlhtsec=1105securityalert5&&nladname=110907securityal