Its just a blow out, not a cut.

As a cyber security consultant, I can confirm. Not a single company out of hundreds I’ve performed PCI remediation for managed to completely comply with requirements, with some leaving major issues like storing cc info in a searchable plain text db for better “customer service”. There’s barely any enforcement for this.