In my company, they made the entire company PCI-compliant (as opposed to a small team of beancounters).

This meant that the janitors had the same security responsibilities as the CFO.

It was ... invigorating.

The consultants that recommended it made a lot of money, though, so I guess it's all good.