I'm not responsible for data security, but know the folks who are. During my 8 years at the bank I don't recall us ever getting hit or an audit point for data security.
Really? We had a much easier time satisfying the Fed auditors than getting the PCI "rock" certification.