I think the risk in a compromise depends on the card type. For example, corporate/travel cards are issued in the cardholder’s name (via the company), and they would be governed by Regulation W which also covers all credit cards. That is, the liability would be $50 to the cardholder. I am not, however, an expert on the nuances of these particular cards or the specific operating regulations governing them. Maybe companies should check their contracts to see liability provisions?

As for purchasing cards which are issued in the company’s name, I can only speculate that the liability in a breach would depend on the contract between the company and the issuer for liability provisions.

In any event, you make a good point that PCI DSS should not apply. However, I keep coming back to my old high school football coach: we can do things the right way, the wrong way, or the coach’s (i.e., the brands’) way. From my point of view, I guess I’ll keep doing things the coach’s way.

If the “cardmember” rules which apply to a corporate card lay all of the liability with the business on whose behalf the cards are issued, then the card brands have little standing to impose PCI DSS, as the card brands have little to lose.

What are the actual rules?
Does the cost of fraudulent use of a particular business’ corporate cards fall only on that business? If so then PCI DSS should not apply.