PCI is a pragmatic standard which requires security-comatose organizations to wake up to their responsibilities. While PCI is only required for companies dealing with credit and debit card holder data, its relevance is germane for any organization. The Heartland breach has been used extensively by the media to show that PCI is ineffective. Complaint: Being compliant with the payment card standard takes away from the time, money and effort that could be better spent on core information security issues. The 6 PCI DSS control areas and 12 objectives all correspond to good security practices.”]
Source: https://www.csoonline.com/article/2123972/pci-shrugged–debunking-criticisms-of-pci-dss.html