How did they not notice this?
Websites which collect card data (my own incl) deploy many security methods to ensure precisely this does not happen.
One of the many methods that we (and most others) use is an Intrusion Detection System (In my case, as a small business owner, Tripwire on Linux), this monitors for filesytem changes, including monitoring the websites files.
This means, if a PHP file is edited, via an exploit or other hack then that file will immediately flag up on the IDS.
This hack absolutely should have been spotted immediately on their IDS, how did they miss this for so long?