maybe it was the pizza guys again..http://www.theregister.com/2006/08/24/pizza_fraud_scam/

as for PCI fines... afaik, they only apply if you dopn't report or you're not "compliant"

From Visa's site
if a Visa member fails to immediately notify Visa USA Fraud Control of the suspected or confirmed loss or theft of any Visa transaction information, the member will be subject to a penalty of $100,000 per incident.

Members are subject to fines, up to $500,000 per incident, for any merchant or service provider that is compromised and not compliant at the time of the incident.

I think the PCI reg's rightly take into consideration that even though you are compliant, compromises can still happen. (knock on wood). As a PCI compliant company, I can still be at risk from a zero day IIS exploit (although i have IPS software which should prevent this). It would be hard to make a case that I have been negligent because an MS programmer forgot to plug a buffer overflow...(and you linux lovers just be quiet about me being negligent just by using MS ;P)