you could imagine that if visa and mastercard had incompatible restrictions, such that merchants had to choose which one to accept, people would gradually shift to the card that got their money stolen less often, or whose (merchants') websites worked more reliably
since, instead, every business that uses credit cards at all is required to use the same set of counterproductive 'security' policies that make them more vulnerable than before, there is no way for market reality to ground these 'security' policies in real-world security. that's exactly the same problem that happens with government regulation
I've seen several merchants stop using amex because of restrictions. Admittedly those restrictions were very much in the form of excessive fees and nobody would have cared about their customer's stolen money.
Anyway, there isn't total solidarity within the credit card cartel.
The thing is that even today, where it's "easy", still nearly nobody is writing code to directly support the six different credit card types. Instead, businesses mostly rely on payment processors.
In a world where it's impossible to support all six card types directly with one codebase, one of the key dimensions on which payment processors would compete for mindshare, would be abstracting away those difficulties in supporting all six card types, enabling the business that uses them to accept more cards, more easily, than if the business went with some rival payment-processor. This would be a headline feature, however hard it is for them to accomplish internally.
The only difference from today, would be that now, due to those potentially-conflicting requirements, the payment processors would have to build six entirely-distinct payment backends that don't share a data model. (Basically treating each credit card platform's cards as different "payment rails", as distinctive from one-another as credit card payment rails today are from debit card payment rails.)
And then, of course, the payment processors themselves would come up with guidelines for handling those six different data warehouses and associated infrastructure, separate/downstream from the guidelines enforced upon each data warehouse by the associated credit platform... and those payment-processor-produced guidelines, might look again quite a lot like PCI-DSS :P
since, instead, every business that uses credit cards at all is required to use the same set of counterproductive 'security' policies that make them more vulnerable than before, there is no way for market reality to ground these 'security' policies in real-world security. that's exactly the same problem that happens with government regulation