The alternatives are 1) they were hacked and since they aren't using a P2PE vendor, their card information was written to a database or 2) they have been writing card information to a database since before PCI and haven't been found out until now.
The alternatives are 1) they were hacked and since they aren't using a P2PE vendor, their card information was written to a database or 2) they have been writing card information to a database since before PCI and haven't been found out until now.