CIO.com: Claiming PCI Or Any Other Compliance – Daily
Let's be honest: Organizations follow compliance and regulatory requirements like PCI because VISA threatens to fine your company or worse, cut you off from credit card processing.
OMG! I would not be able to process credit card payments, it will cost me untold profit... OMG!
That is more like it, because we all know that if your organization is truly practicing on a daily basis good information security you would be compliant to PCI (just missing QSA certification of course), and you would most likely be in compliance with just about any compliance or regulatory requirements your organization might have thrust upon it.
If you follow and actually practice, perform and maintain a best practice, state of art, best of breed, call it what you will, information security program, you would basically be doing all the right things to become compliant if required. The difference between being secure and being compliant is an organizations maturity model. Practice daily good information security and you will basically be compliant (good maturity). Implement or improve information security for compliance requirements, such as PCI (bad maturity).
More of the CIO.com article from Michael Gough