Given the present reality, however, Julian says retailers affected by the recent breach have to move quickly to comply with PCI DSS standards, to "notify consumers and brands in a timely fashion. Forty-six states have laws on the books to notify consumers if credit card information was put in harm's way. So they're scrambling to find out if they were compromised, and then they have to adapt it to the state matrix."

In an assessment model he created, Julian's list of "minimum recommended actions" includes notifying one trade organization, five state attorneys general, and 900,000 consumers in nine states, telling the credit agency of 600,000 exposures in six states, notifying local media in two states, providing other general notification and notifying five special offices in three states.

Merchants can minimize or even eliminate those fines by complying with the laws, he says, but if they don't, "they can really add up. In the (2005) , $15 million of their $41 million in costs were from fines. And with the changes in the law since then, the fines would be much more today.

For consumers, Krebs says it doesn't make sense to demand a new card, but simply to monitor their card activity online for any suspicious transactions.

"Consumers are not on the hook for fraud charges, provided they report unauthorized activity. Having to deal with a new card can be disruptive and time consuming," Krebs says.