I landed in a great startup (lucky me) where the IT infra manager had an entire fake environment for the PCI auditors. So many laughs. They hired a info sec manager eventually, who wrote stacks of policies and put us through numerous successful and legit PCI audits...but yeah, that was one example of the regulations being skirted. There was a constant barrage of legal issues though that consumed three in-house lawyers.