While PCI is its own bag of worms, part of the certification process is to describe the architecture to an outside auditor. It's annoying and companies can (and will) complain all they want, but without meeting that requirement, the company can't say they're PCI compliance. Which they want to be. So they meet that requirement.