Texas has passed a bill that makes PCI compliance a law. You can check out the text of the legislation here. The bill allows a financial institution to 'bring an action' against a business if they are in violation of the PCI DSS at the time of a breach.

Interestingly, in order to 'file an action,' the financial institution must first request that the business provide certification of compliance with the PCI DSS and the business must provide that certification within 30 days.

In other words, the work flow that this bill establishes is as follows:
Assumption: Business is not PCI compliant, though it is required.
1. Breach occurs.
2. Financial institution finds out about it (see Texas SB122)
3. Financial institution requests PCI audit from business
4. If the business passes the audit, nothing happens. If the business fails, the the financial institution may be able to collect damages from it.

Let's consider how this interacts with the requirements of the card companies. Any business that's processing cards is already required to comply with the PCI DSS, so they should (given an appropriate merchant level) be audited annually already. This law adds an 'on demand' audit in the case of a breach. A business might be able to bring themselves into compliance and get audited within the 30 day window, but it would be really tough for an organization of any size.

Also interesting is the provision that a business is safe if they contract out to a third party for processing services, and obtain some assurance that the third party is PCI compliant. Such a provision pushes retailers in the direction of outsourcing card processing, in turn centralizing PCI enforcement further.

What we have here, ultimately, is an(other) attempt to push the liability closer to the party responsible for the risk. It makes sense, really. Any time responsibility (for damages, a breach, etc) and authority (to eliminate risk, add security) are separated, there's bound to be a problem.