Given the nature of their business then I would imagine that PCI DSS applies.
Unencrypted data may represent a fail. However if the storage volumes that they were stored on were encrypted but accessible due to being online then sadly that would probably pass.
Still, given there was a breach then something else may surface as a fail. My money is on an admin password on a post-it note stuck to a monitor near a window.