I can't really agree on this, I'm not a big CC user myself (it isn't that popular in my country), but I don't think I can get access or get a pin number or anything just by supplying the last four digits. I might be able to answer some questions to block my card. To get something new, I first get a notice trough mail, then I need to show up at a local office with that notice + I.D.
Now a hosting company isn't a bank, so you don't have to show up somewhere, but I still think only confirmed channels should be used; registered phone/sms/physical or e-mail.
I do agree that WHMCS has been trying to lay off responsibility and that they're playing to be only a victim, but I do think HG could also do something.
I'm not sure if I follow you on the PCI requirements, couldn't they also just have used an outsourced provider, so they don't keep the numbers themselves? Then they would've been hacked anyway. The goal of this hack wasn't the CC info I think.
Things sound a bit different in your country, where we live US... you dont have to go into a bank to make changes, you can call over the phone to speak with a live person, in which case they ask you a set of security questions, usually about 5 one of which being the last 5 digits of a card. It is the same when I use online banking... it asks me a set of security questions.
We do not and obviously cannot provide our ID when doing this... but yet we can cancel a card, order a new one, transfer money, change password, doesnt matter.
This isn't just US banks either... here is another great example since this is concerning a merchant... most merchant account providers do not have a physical location where you can just stop by to show ID, in most cases they are on other side of the country... they all rely on security questions for authentication. Which most likely why the rule is in the PCI compliance requirements in the first place to have secure questions and answers that could only be known to the account holder.
Hosting companies are no different, they ask a set of security questions all of which the attacker on WHMCS had the answers for, so obviously they were crap security questions which is violation #1 of PCI compliance requirements.
The second rule to PCI compliance that was violated is on any system holding card holder data, you must change the passwords after a vendor is done doing any work they are tasked to do even if they are a 24/7 vendor it specifically states they should not have 24/7 access. In this case the vendor is their hosting company. If they had followed PCI compliance the vendor (Host Gator) would have never had the password to give out in the first place.
This attack would have never been successful if they had followed the PCI requirements.
All this does is make you wonder how many other PCI violations do they have since they are violating such basic and obvious rules.