The irony here is that it's VISA handing out fines..
OK, I admit it, I have a dog in this fight, but it's because I have been looking at the problems with card transactions for quite some time (> 10 years).
The security model of card transactions has been flawed from the moment "card not present" payments were accepted (read: since you could buy things by phone), and especially VISA and Mastercard have brilliantly avoided their responsibilities by making every participant in the scam accepting responsibility instead of themselves. EVM, CCV, 3D Secure - they're gaffer tape over cracks, camouflage for what is in reality a fully broken model. Credit to them that they got away with it for so long, but this case yields some hope that the scam will end at some point.
The only organisations that can address the deficiencies are the transaction carriers such as VISA and Mastercard themselves, but as they are the only link in the chain that does NOT suffer after a breach there is no incentive. As a matter of fact, the opposite is true - to truly address the issue would require replacing all the hardware and infrastructure, and that is surely not going to happen without pressure, pressure they have neatly rolled off to others. They have covered up deficiencies by throwing PCI compliance processes at others, the reality is that the real problems reside in the centre.
This merchant gets basically fined for not protecting VISA and Mastercard. Not for a compliance failure. Personally I hope the merchant wins, because it's time something happens.
It's ridiculous that people in the 21st century still have to rely on security that was already inadequate in the 20th.