PCI/DSS isn't simply about being able to claim nebulous adherence to "best practices"; it's about an organization's ability to maintain a business relationship with their customers and an upstream merchant account provider under certain agreed upon minimum standards for data security. Quoting PCI Data Storage Do’s and Don’ts:
Do not store sensitive authentication data contained in the payment card’s storage chip or full magnetic stripe, including the printed 3-4 digit card validation code on the front or back of the payment card after authorization.
This point in particular is not flexible in nature. Storing that specific information, or failing to take specific steps to secure the access perimeter and specific systems through which said information traverses, are quick routes to termination of a merchant agreement. Such failures may also expose a business to significant legal liability; litigation rapidly becomes impressively expensive in the event of a breach whereby it comes to light that the business in question failed to follow basic PCI/DSS tenets, and said legal proceedings may turn into an even greater circus if dominant upstream EFT players such as Visa, etc believe there is reason to assume negligence on the part of an auditing firm that supposedly delivered a satisfactory report on compliance to the errant business. Reference the recent Target debacle for a fine example of such complications.
There are no magic bullets, but there are baselines. Those baselines could certainly use significant improvement, but that doesn't matter much if the business servicing the consumer doesn't care to consider even basic adherence to agreed upon information security standards as a critical factor.