Considering the flock of recent bad examples of inconsistent security, I'm beginning to think the need for some kind of single set of security requirements in unavoidable, no matter how much complaining some companies do about the burden of compliance and micro-management of their businesses.
If millions of customers trust you with data that could compromise their financial security if it were release, and you store them, unencrypted and easily accessible from the Web site delivering the service for which they paid, with few barriers to hackers, someone has to explain to you the importance of not abusing other people's trust.
If Citigroup, with well-planned security configurations and distributed customer records, can get hit for 200,000 customer records, any company can.
The irresponsible ones won't limit the damage as well as Citi did. They'll be more like Sony, whose count of lost records is above 100 million and still growing.
Neither company is small or poor enough to claim it can't afford real security.
Companies that really can't will pose even greater risks to consumers.
They shouldn't have the choice. If a bank is willing to keep my money, federal agencies impose a list of requirements for security and liquidity and fair practices and everything else.
If my personal data is worth money – and if it's not there are a lot of hacker groups out there wasting time – I should be able to count on some level of protection for it as well, without having to check every site I use to make sure what kind of password-hashing scheme they use and how good their SQL injection defense would be.