The data was taken "in transit for authorization from the point of sale," the letter states, meaning as it was transmitted from the cash register to one of the institutions that Hannaford uses to process transactions.
The disclosure also stated that the malware on the store servers stored up records of these purchases in batches, then transmitted them to an unnamed offshore Internet service provider.
According to Hannaford, not only is the company fully compliant with the PCI-DSS credit card protection standard, but it passed an audit as recently as late February! This is clearly a nightmare for the major credit card companies. There's already a perception that the standard itself is garbage, and news like this further validates that contention.
But I always approach these problems from a security admin perspective; so what can we learn from this?