As for the standard, a merchant not meeting PCI DSS standards -- and there appears to be a lot of them these days -- might lose their ability to participate in merchant card programs. In today's near-cashless society, that would be a heavy blow. Merchants not meeting the PCI DSS standard could also be subject to a merchant card program fine if they wanted to stay in the program, and not following the recommended standards could be considered evidence of a lack of "due care" and lead to civil damages. But it's not against the law.
Second, the PCI DSS standard doesn't prevent the storage of credit card numbers. In fact, it specifically says it's all right to store that information, along with the cardholder’s name and card expiration date, as long as all information that's stored or transmitted is protected. What can't be stored? All the information on the card’s magnetic stripe and the three or four digit "verification" numbers on the back of the card (i.e. CVC2, CVV2, or CID codes).
HIPAA doesn't have any specific technology requirements. As with PCI, all the recommendations are general in nature. Although many people, including myself, could argue that this lack of specificity means security problems will keep occurring, the reality is that there are so many ways to protect computer data that no single recommendation would ever be complete enough.
Suppose a standard required the use of 10-character or longer complex passwords. Sounds good, right? Well, yeah, if everything else is up to spec. No single recommendation can be considered in a vacuum; the entire system must be securely configured and maintained. For example, with the 10-character password requirement, how frequently must the password be changed? Who assigns the password? Does any other user (such as an administrator) know the user’s password? Are users forbidden from writing them down? How well does the underlying system protect the password in transit? Does the password authentication protocol use challenge-response, plaintext, or token substitution? Does the system have account lockout for n number of invalid password attempts? Is account logon auditing turned on? Does anyone ever review the logs?
Instead of getting into these kinds of specifics, standards like PCI DSS or HIPAA say something like, "...secure passwords must be used." The idea is to pass along a general recommendation that the average person or administrator would take (or should take) in the normal course of business. If data gets compromised, the injured parties can point to the lack of "due care" taken in implementing the standard. Of course, general standards are also why vendors, who continue to allow other people's personal data to get stolen, keep escaping meaningful prosecution. It's a dual-edged sword.
For the most part, if you follow normal network security best practices, you will meet most of the various regulations' requirements. I've been involved in auditing merchant card vendors for PCI compliance; the only requirements I consistently see merchants not meeting by default these days is writing their wireless logon logs to a server location on the internal LAN and changing their WEP keys (if they use WEP) at least quarterly.
It can never hurt to read the source documents that regulate your industry, even if they are boring and dry. You'll seem a whole lot more intelligent to your boss, your co-workers, and know-it-all vendors.
(And yes, password-protected, encrypted .zip files are accepted by HIPAA as a secure transmission method as long as the password is not passed in plaintext.)