As a cyber security consultant, I can confirm. Not a single company out of hundreds I've performed PCI remediation for managed to completely comply with requirements, with some leaving major issues like storing cc info in a searchable plain text db for better "customer service". There's barely any enforcement for this.
13 years here. Search results only but even that is increasingly useless with so many folks deleting ALL their historical activity. Loving the fediverse!