I wonder if anyone has the energy to read through the PCI DSS stuff? I expect that what they've done contravenes the rules there. You could always ask their acquirer, if you know which bank it is Ross