Not exactly. Any business that processes credit cards has to be PCI compliant. That means truncating the credit card number or encrypting it. So any company that give the DHS access to unencrypted credit card numbers no longer PCI compliant and is liable for damages in the event of a breach (which this may be).
Slashdot videos: Now with more Slashdot!
The result of the law going into effect is pressure from up-on-high in the company to be in compliance with the law and gives justification to spend money on people and equipment/software/etc. Another company I worked at wouldn't even spend money for firewall software, because management dismissed IT's cost/benefit justification. If it didn't directly contribute to sales figures, it didn't happen. I'm glad I'm not there anymore.
Now, IT security is talked about at all levels, from IT all the way up through management. The question is asked and discussed "Is the sensitive information adaquately protected?". Having the GLBA as the hidden hammer, gives the question a lot of weight. And it's made a difference, with a lot more thought being put into it. Any planning does have project time and resources set aside specifically for security. There's actually time to audit and review existing equipment, and authorization to change any blatant findings.
Is it perfect? Well, no. More time and money could certainly be used. But the effort put into it certainly exceeds the bar that the GLBA provides. I do admire the company for that.