Companies are split into PCI Levels based on how much money/customers they handle. Level 1 are big companies like amazon, level 2 are medium sized online retailers generally, and level 3 are smaller retailers.
The 'lower' your level, the easier the PCI audits are. If you are level 1 you have mandatory external audits. If you are level 2 you have a 'self assessment' which is basically a checklist which says "Yes, I promise I'm in compliance".
If you have a confirmed breach, you are upgraded to Level 1 merchant audit requirements. This is generally quite costly as the external audit is extensive and must be paid for.
A lot of my CS degree wasn't really applicable to the work I actually do (line of business applications) but it was interesting as hell. I went to classes with a lot of people that hated half of the things we did (physics, math, combinatorics, machine learning, assembly, microprocessor fabrication) but every one of those things was just flat out interesting. Not really applicable, but I don't regret learning it at all.
There are monetization strategies which don't involve charging the end user anything for the service provided.