Even then, attackers with half a brain (and malicious intent) would also have backdoored the payment page to harvest "fresh" credit cards numbers during the period they went unnoticed (possibly days/weeks). It's another good reason to leave the credit card handling to a reliable 3rd party imo.