> If we want to be cynical, of course there was a self-serving reason they created the standards
It's not cynical, it is literally the reason PCI exists.
> Five different programs had been started by card companies... The intentions of each were roughly similar: to create an additional level of protection for card issuers
Protection from fraud. Fraud costs the credit card industry money. It makes people less likely to trust/use them, which then costs them business.
You said -
"avoid actually being regulated and are a way to shift liability"
This is like saying a store put razors in a locked case to avoid being regulated. Or they simply don't want their stuff stolen?
I was being facetious when I said if we want to be cynical, because of course everything any business does is in their own self-interest. Of course it is -- that goes without saying, unless one is just trying to be glum.
Equating credit card fraud to physical theft is silly. The intermediaries of the credit card industry earn revenue by charging fees to process transactions. When fraud occurs, they're only liable if they were some how responsible. PCI allows the network to shift liability to the periphery and to allow the central network to deny taking responsibility for systemic problems with the infrastructure.
To use your razors analogy, PCI is like Gillette shipping razors lose in a box to CVS and telling the store that it is liable if anyone gets cut or the razors get stolen AND Gillette can fine them if anyone gets cut or razors get stolen. But that's not how it works, in the real world razors come with safety covers in tamper evident sealed plastic clam shells.
"Equating credit card fraud to physical theft is silly. "
In both cases someone is out money. It isn't a difficult step.
Fraud costs the credit card industry. It costs issuers (they shoulder 60% of the direct cost), merchants, and it costs the future of the industry because it is a nuisance for end-users.
They make a standard of best practices to reduce fraud. Following those best practices is good for every single participant, outside of criminals. Reducing fraud wholesale is the goal, obviously.
Spinning this in a nefarious fashion is not helpful to anyone, and does nothing but muddies the waters.
No one is denying fraud has a cost or that there's benefit to mitigating it. Mitigation comes at a cost and so there is a cost/benefit analysis performed by stake holders to determine the scope of mitigation employed.
PCI identifies recommended mitigations and imposes penalties for failures, but it doesn't ensure or validate compliance. It simply shifts liability from one stakeholder to another.
No one is spinning this as nefarious, but rather information that should be taken into consideration.
It's not cynical, it is literally the reason PCI exists.
> Five different programs had been started by card companies... The intentions of each were roughly similar: to create an additional level of protection for card issuers
- https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Sec...