[dogma1138]

There are audits a large enough retailer would need a QSA audited PCI compliance report and while they can have 2 versions to avoid being flagged by the auditor their liability when getting caught would be colossal.

Credit Card companies are very good at identifying the source of the leak from only a handful of fraud complaints you’ll be surprised how few places would be shared across even a small batch of cards say <50.

If the retailer is large enough to make an impact they’ll get caught and dealt with very quickly and the value of credit cards and matching PII/CHD today is very low a few million cards might be worth only a few 1000’s of dollars depending on their age, source and estimated credit limit.