Thank you for your advice. Luckily, I was never logged into their systems; simply remote viewing via screen share with an authorized user.

I hadn't thought of that. Very interesting insight. Thanks!

That's my biggest issue. The people who end up seeing the CC numbers are minimum wage receptionists.

I have a customer who told me that her manager's boyfriend was writing down customer's addresses to go rob them. The nature of the business indicates that the customer is not at their home for extended periods of time. We ended up building in user permissions to see name, address and phone number.

Whoa, call the police maybe?

Thank you for your support.

Edit:: I have not made up my mind yet. Admittedly, at the time of posting I was leaning more toward that side.

After reading everyone's advice, I'm leaning more toward a multi-tiered approach as @jacquesm suggested. It seems to avoid bad karma and burning bridges. Also, it seems as though the PCI Industry rarely acts on reports. So, working with the competitor to fix their issues could be the best thing down the road. It's a very small industry, and the possibility of a buy-out could exist in a few years.

It sounds like you've already made up your mind and are just looking for people to agree with you.

This is the vibe I was getting, which is unfortunate. Of course I'm only speculating.

Similarly, I find it to be insanely frustrating when people ask for advice, but are not willing to listen when they get it. It feels dishonest.

Not agreeing with advice doesn't mean the recipient didn't listen to or appreciate it.

A recipient could have listened. A recipient could have not listened. I still think it is dishonest when it is someone's intention to fish for agreements. I originally speculated as to whether this was the case, and he/she has said otherwise.

(a) TALK TO A LAWYER FIRST

(b) It seems to me that the customer in question is in a much better position to file a complaint than you are. I can't see anything wrong (but see (a)) with writing them a detailed letter explaining the implications of what you found during the transfer. They will probably not want to act on it, but if they do, they can't be accused of ulterior motives.

(c) You could try the tack of advertising very loudly that you're PCI compliant, without ever mentioning your competitor. (Is there third-party PCI certification? If so, you might want to get it.) Yes, everyone who handles credit cards is supposed to be PCI compliant, but customers don't necessarily know that; you could perhaps make it a differentiator. If your competitor is so unscrupulous as to advertise themselves as compliant when they're not, possibly (see (a)) you could then report them yourself.

Don't be under the impression that reporting a PCI violation will matter. They'll just apply a bandage if anyone looks into it. The real risk is if they have a breach, then they'll be liable for more fines. I know businesses that are very successful and ignore PCI. One even sold for a large amount of money. They implemented BrainTree in a week to solve a due diligence issue. No big deal. Sure, if they'd been hacked it'd have really hurt, but they weren't and now have FU money.

For it to actually really hurt your competitor, you'd have to probably astroturf some forums, acting like concerned customers, and get other customers upset. And even then, you're just going to cost them a week or so. Maybe if you timed it for maximum damage, but just don't waste too much time on it.