wriggle room

PCI DSS leaves a lot to be desired as a 'standard', there's several ambiguities and some will argue that it's no more that a lawyers' bean feast to enable the card companies to offload liability. The fact that the 'standard' is crappy doesn't stop companies using compliance with it as a PR smokescreen. It's a beautiful concept a shonky standard that gets the corporate players of the hook leaving the poor old card holder with the problem.

As for fines, the acquiring bank can fine the company, but the real financial penalty is the $25 + 5 per card that card issuing banks, etc, can charge the offending company. 94M x $25 is not an insubstantial amount. So what's stopping them?