It might not have been a keylogger...
People seem to keen to blame third party javascript code and/or a hack on the website but given the long and precise date range over which data was stolen, Occam's razor suggests to me that a one-off theft of a single DB might be the truth. Of course, that would also suggest that they *were* storing CVV codes in their DB. But it does seem more likely to me than the notion that they had a compromised, busy public website on which a data leakage hack was able to operate unspotted for such a long time...
Biting the hand that feeds IT
