"Let's talk about that CVV for a moment. ... PCI DSS is very clear about how the CVV (or CVV2 as it is these days) should be stored ... It shouldn't be stored and that's what makes this breach such a big issue. Violation of PCI DSS guidelines can lead to pretty serious fines and even loss of merchant facilities; the card providers take this very seriously.
The author doesn't explicitly mention it, but the CVVs were saved as a part of debug logging. That mistake should serve as a warning to others implementing PCI DSS systems.