Public records obtained by KPBS show the Compass Card system was out of compliance with the Payment Card Industry Data Security Standards — called PCI DSS — when the cards began being used in 2009.