PCI DSS is a joke [maybe was]. Look at all the breaches and these companies were PCI approved.
I worked at a place. Though not involved, I would see credit card information lying around. It was ridiculous. I could of walked home and sold the information on the Internet. Problem was that version 2 said under a certain number of sales, PCI DSS wasn't a requirement.
There was so many holes in our security and the IT manager couldn't care less.