by Much digital ink has been spilled over the Payment Card Industry Digital Security Standard (PCI-DSS), the standard security rules that any vendor that accepts credit card payments agrees to follow. Many of the articles try to find a way to criticize the standard. "PCI wouldn't have stopped this breach, it's worthless!" being the normal battlecry.
First, most of those people miss the point. PCI is a minimum standard that is evolving constantly. The PCI-DSS of 2007 was a lot weaker than the PCI-DSS of today. As new threats emerge, the standard evolves. A few years ago, wireless was not mentioned, now it is a significant focus.
The security council also will not (correctly) require emerging technologies that have not proven their value and are not available to the majority of those who must comply with the standards. So when a vendor advocate complains that the PCI-DSS doesn't require some security product buzzword that is only sold by a couple vendors who charge both arms and a leg to get the base level product, I don't give a lot of credit to the critics.
The other criticism I hear is kind of amusing. "It's too difficult, its just a checkbox." Except the very areas that people complain most about (to me at least) are areas that very much matter, like separation of duties, logging, individual accountability. Those may not prevent the attack, but they certainly help contain the spread of an initial attack as well as make it easier to detect an attack before sensitive data is exposed.
So is the PCI-DSS perfect? Of course not. But it's one of the better standards, and certainly the only technical security standard I've seen with even baby teeth in it. Other security standards are so vague as to allow them to mean whatever an anti-security manager wants them to mean and be able to claim that they are compliant.