Forbidden Planet - not disclosing Credit Card Fraud

In a similar subject to my previous blog post about the data loss at Impulse Group; Forbidden Planet (UK) managed to have their customers credit card details breached. In what seems to be norm nowadays, Forbidden Planet (UK) have not sent messages to their customers to report the problem, instead, a rather strange message was left on the 'closed' Dr Who forums by the site owner - but the statement is available at Blogomatic 3000

The data is being used by fraudsters - one customer I spoke to said that £10 transactions had gone through his Maestro card. Fraudsters use "taster" £10 transactions because they are small and confirm the card is still active before selling the details on.

The big question that I'm seeking an answer to:

• Why wasn't the system PCI DSS compliant? because if it was then the card numbers would have not been available to those that stole the data. The 3rd PCI DSS data security requirement specifically says that cardholder data has to be 'protected' - were not just talking database passwords; it has to be encrypted wherever the PAN + data is used, including log files.
  
• Why was credit card data older than 2 months still be stored? The 3rd PCI DSS also says that cardholder data must not be stored for longer than necessary.

more information on PCI DSS can be found here: http://www.pcisecuritystandards.org