Andrew Conry-Murray has an interesting piece on the InformationWeek Security blog about PCI. Here's an excerpt:
I think this is an option that warrants serious discussion because it focuses on the intended results. This is particularly beneficial when we have no real evidence about what controls are most valuable to reducing risk; we assume quite a bit about "best practices" that may not help.
The idea is not to try to predict in the aggregate how attackers will attack, but simply to let the enterprise determine for itself what its risk level and security posture should be, given the prospects of potential breach.
Andrew doesn't get too much into exactly what the penalty would be if a breach occurs. I think this is fairly simple - organizations already bear the notification costs. We should simply add the requirement to pay for reissuing credit cards and possibly an annual credit monitoring service for the victims.