I have an idea:
Let’s publish a mandatory security standard that leaves merchants with the false sense of providing adequate security. Then, every time there is a breach, we will send one of our preselected vendors to assess the security and find the merchant in violation of the standards. Then we will fine the merchant. Not here’s the best part- We will create new security products and services to sell to the merchants that are following our insufficient security standard. They will be incentivized to purchase these products and services from us because if they don’t and have a breach, we will fine them! We get them coming and going!
Oh wait . . . dammit!