wtf?

"You are compliant, and then if something [like this] happens, by definition you're not."

Err, no. PCI compliance is a set of standards. Just because you get broken into doesn't mean you lose compliance. It says when you patch, how often critical vulnerabilities have to be applied, etc. It provides a *best effort* methodology. A system is never hack-proof, there are always zero-day exploits and more found.

If the *founders* of PCI:DSS consider getting hacked into a measure of being not in compliance, then the methodology is broken and needs to be reworked. Most ricky-tick.