Looking at the battering that PCI-DSS has gone through at a recent US Government Congressional hearing, one might assume that PCI-DSS is just not sufficient for protecting customer data. The congressional hearing is discussed here.
The question should not be WHETHER it is sufficient for protecting customer data, the real issue is are there any other efforts in the industry to define something along the lines of PCI?
PCI is the first standard that has been drawn by the council that includes banks and the credit card companies and is a strict requirement for any entities processing credit card transactions at a large scale. Now, the standard has some rules and requires the expertise of security auditors to evaluate the state of any entity.
Again, the quality of auditors is also critical to the success of the standard. There is a need to work further on the standard to figure out the loop holes and opportunities for improvement, based on the real world experiences from credit card breaches that have happened ever since the standard was introduced.
There is no second chance to any vendor who loses customer data. It is just not reputation that is at stake, it costs MONEY. :(