Why do credit card companies run the PCI security standards council?

I think every industry attempts to police itself before proving incapable...and even then they still get to do it by rotating between the reg committee and the industry. Just look at Wall St.

As to gov't running things, I learned to read in write in public school. 911 would be here in a jiffy if I need them. The military. The parks that I go to with my kids. Sorry, I just couldn't let a statement like that go...

If security regs like PCI, HIPPA, Sox, SaS70 were serious about getting things done, then compliance mandates wouldn't have constantly been pushed, and industry would actually be compelled to implement solutions for ALL of their potential breach points. But the best advice can fall on deaf ears until the potential exploits actually occur. VoIP, for instance, has such gaping security flaws that it should have "for entertainment purposes only" stamped on your bill. Either the incidents go unreported, or the bad guys haven’t figured out how to take advantage. I’d lean more towards the former than the latter.

To your final question, the equation is always the least cost route and only for what is absolutely essential and/or legally required. Great national security is achievable, but it will be expensive...IP architecture would need a fundamental shift...and nobody wants to work himself out of a job, right?

The PCI standards, although initially formulated by the card networks, are currently maintained by a more or less independent organization - The PCI Security Standards Council (www.pcisecuritystandards.org).
The council is, of course, comprised of members of the industry, including the card networks themselves, as well as other stakeholders of the payment card system.
This is an industry mandate versus a government mandate/regulation and is our effort to maintain and enhance the integrity of the system as a whole.
Fraud costs everyone involved in the system an incredible amount of money each and every year (billions of dollars) and extends beyond “just” online payments – hence the need for everyone involved in the system, from the smallest card accepting merchant, to the largest processing banks, to be aware of and implement good security practices and policies to help mitigate the potential.
Is there often an expense involved with full compliance? Absolutely. Can it be burdensome to small businesses? Absolutely. Is it worth the time, energy, effort, and money? Absolutely.
Industry reports reveal that the majority of data breaches occur in a small business setting – you just don't hear as much about them because the individual numbers of compromised cardholder information is usually smaller per occurrence. but collectively account for a large percentage of the breaches and resulting fraud.
Small businesses should care about, and be willing to adhere to the standards, regardless of costs or inconvenience, for this reason if no other: the resulting loss of business and business reputation that occurs as a result of a data breach of any kind.
Add to this the potential for fines from the networks and the cost of a new PCI compliant piece of equipment or software package or implementing new policies or procedures designed to protect cardholder information, is minimal in comparison
Is adherence to the PCI standards a guarantee against breaches? Of course not. But it does provide a solid starting point to evaluate and implement sound data security practices across the entire payment card system.

I guess the botton line is the card schemes have a vested interest in protecting their brand/s and ensuring confidence in the payment industry, otherwise they wouldn't exist.