(b) It seems to me that the customer in question is in a much better position to file a complaint than you are. I can't see anything wrong (but see (a)) with writing them a detailed letter explaining the implications of what you found during the transfer. They will probably not want to act on it, but if they do, they can't be accused of ulterior motives.
(c) You could try the tack of advertising very loudly that you're PCI compliant, without ever mentioning your competitor. (Is there third-party PCI certification? If so, you might want to get it.) Yes, everyone who handles credit cards is supposed to be PCI compliant, but customers don't necessarily know that; you could perhaps make it a differentiator. If your competitor is so unscrupulous as to advertise themselves as compliant when they're not, possibly (see (a)) you could then report them yourself.
(b) It seems to me that the customer in question is in a much better position to file a complaint than you are. I can't see anything wrong (but see (a)) with writing them a detailed letter explaining the implications of what you found during the transfer. They will probably not want to act on it, but if they do, they can't be accused of ulterior motives.
(c) You could try the tack of advertising very loudly that you're PCI compliant, without ever mentioning your competitor. (Is there third-party PCI certification? If so, you might want to get it.) Yes, everyone who handles credit cards is supposed to be PCI compliant, but customers don't necessarily know that; you could perhaps make it a differentiator. If your competitor is so unscrupulous as to advertise themselves as compliant when they're not, possibly (see (a)) you could then report them yourself.