According to a report released today, 70% of retailers treat PCI Compliance as a check-box. The remaining 30% are apparently taking it seriously.
PCI Compliance, whether taken seriously or as a check-box, really is an economic decision: (financial cost + reputational cost + business disruptions cost) x probability of breach is ≤ or ≥ the cost, effort and distraction of 'serious' compliance efforts. 30% apparently think the risk is too great and 70% take the business risk and do just enough to avoid being labeled as negligent.
My guess is that this 70% is also observing that no matter how intense compliant efforts are, post breach forensics will always find non-compliance (large or small) somewhere, which will eliminate much of the benefit for trying anyways.
I think that solution providers will help bridge this gap and make compliance and security achievable and worth the cost and effort regardless of risk preference.