I’ve been saying for a long time now that compliance standards like PCI DSS 1.2 have created a marketing franchise for auditors instead of improving security.
Empirical evidence of the past 2 years suggests that compliance focuses on meeting auditor requirements instead of assuring actual security of your systems and customer data assets. Here’s an interesting interview with Chris Nickerson who is billed by SearchSecurity.com 
as “your worst nightmare. He’s the guy you never see coming, the one who can slip into your data center, install malware on any server he chooses and ease back out without so much as a shadow on your security cameras”.
Newspaper hype aside – Nick had an important insight on PCI compliance:
You might be compliant, but if your system is compromised, you’re going home without a paycheck. People err on the side of compliance versus security.