o2 is complicit
It's not just the scale of the fraud, it's the poor response by the retailer and the compicity of o2 that also need addressing.
If you read the very long thread here:
http://www.singletrackworld.com/forum/topic/crc-security-issues
You'll see several things:
1. The fraud has been taking place for several months and now runs into the hundreds of thousands of pounds range.
2. There's no confirmation (tyet) that the police are involved
3. A director of the retailer's ecommerce partner posted to the thread to blame the whole thing on ChainReactionCycles' customers not protecting their PCs
4. The "test purchases" at o2 take place because o2 have allowed their systems for at least 10 years to be used by fraudsters to test whether a card has "verified by visa" or similar associated with it - o2's systems allow the same card number to be used for an attempted purchase multiple times with the result that it can be re-used until the fraudster hits on the correct valid date for the card.
There's more coverage of o2's willingness to overlook a significant volume of fraudulent transactions made via their payment systems for more than 10 years here:
http://www.pardoe.net/cellnet/index.html