[tarr11]

I could see this being an issue if there were penalties for PI storage violations like there are for PCI.

PCI is the main reason to use something like Stripe.

Right now, if you store pi and get hacked, you just apologize in a post mortem blog post and move on.

[kapad]

PCI also comes with a bunch of rules that companies that store card data need to adhere to. Obviously the idea is that adhering to these rules ensures (there are arguments for and against, but lets skip those. :P) that data cannot be hacked.

With PI, if you're data is hacked, there is no penalty from a consortium, like in the case of PCI data being hacked, but it is ludicrous to say that there is no penalty at all. When a website is hacked and loses customer data, it also loses customer trust. The websites revenue is based on it's users trusting the site and coming back to it over and over again. A data leak would (rather has the potential) to be disastrous to the site and it's business. (Ashley Madison is the most recent example I could think of).

I do agree with the fact that for a lot of small sites that just want to identify the user, leaking PI will have almost no negative result. But then, such sites have already moved over to OAUTH, and there purpose is already served.