QSA here. In a nutshell, I'd say don't. PCI compliance is enforced by the card brands and acquirers, so it's not up to you to raise a flag here. Maybe they have compensating controls in place to address those issues (one can be PCI compliant while storing cardholder data in clear-text) and, depending on the line of business, they might have a business justification for storing security codes (unusual, but it can happen). Ultimately, it's not your call. What you might perceive as a violation could very well be a known issue with several compensating controls in place to minimize the risk and, if that's OK with the card brands and/or acquirers, your competitor is doing nothing wrong. Leave it to their QSA to determine their compliance status and to their acquirer to make sure that they're compliant.