These thefts are just the tip of a very large iceberg. The Secret Service cybercrime investigations team has arrested more than 4,900 suspects associated with $1.37 billion in fraud losses in the last four years.
Cleaning up the mess will be complex and costly. And a consensus on how to do it remains elusive.
The U.S. is an island when it comes to plastic cards with personal financial information stored on magnetic strips — a tool in use since the 1960s. Most other countries ditched the cards years ago in favor of a version known as EMV, a chip-based means of securing payment transactions developed by Europay, MasterCard and Visa.
Without this added layer of security, American credit cards have become easy pickings for thieves who swipe the data and sell it to counterfeit card makers.
"All the issues we are seeing are the result of the legacy systems we have in place," said Alphonse Pascual, a senior analyst for Javelin. "This information can be stolen by anyone."
Rather than push the costly EMV technology, credit card companies joined forces in 2006 to create the Payment Card Industry Security Standards Council. The council was charged with facilitating the adoption of tighter protections against the theft of consumer data.
Some credit the group for improving security and creating investigation and reporting standards. Many criticize the council as being too passive.
Either way, Troy Leach, PCI's chief technology officer, insisted during the recent congressional hearings that the group is better equipped than legislators to handle data security.
"High-profile events such as the recent breaches are a legitimate area of inquiry for the Congress, but should not serve as a justification to impose new government regulations," he said.
Already, Sen. Patrick Leahy (D-Vt.) has reintroduced the Personal Data Privacy and Security Act, which he first sponsored in 2005. The bill would create, in part, new rules for data breach notification and securing customers' personal information.
The payments industry has set a 2015 deadline to implement the chip technology in U.S. cards.
But the timetable isn't a requirement. Instead, credit card companies are compelling retailers and banks to make the switch by refusing to foot the bill for fraud that could have been prevented by EMV cards after the deadline.
Target recently said it will accept EMV cards by early 2015 and accelerate its investment in chip technology.
But many retailers are balking at the estimated $20 billion to $35 billion they'll have to spend to replace their point-of-sale technology, including the $9 billion to $15 billion in terminals that would have to be swapped out.
In addition, retailers want cards that also require personal identification numbers but complain that banks are calling for chip-and-signature cards, which are more easily counterfeited.
Mallory Duncan, General Counsel for the NRF, calls such cards a "half-baked solution" or "like locking the front door and leaving the back open."
"It's a very expensive transition," Duncan said. "No one wants to spend billions of dollars to swap out equipment if there won't be chip-and-PIN cards."
And EMV may be just a partial stopgap, said many security experts, who note that the cards would not have prevented the kind of data breach that occurred at Target.
And although adoption of the cards cut back payment card fraud in Europe, some countries have recently begun to see an increase in fraud online, where EMV's protections aren't effective.
"Fraud is like a balloon," Pascual said. "You squeeze one end, and it pops up in another. I don't like seeing EMV thrown out as a panacea."
Many security companies are pressing for more radical shifts, encouraging tactics such as greater encryption of data and biometric shields, such as fingerprint scanners.
Many, though, are just bracing for the next attack.
"This is the largest economy, and most of the largest merchants in the world are here — it's the best place to commit fraud," said Sterne Agee financial technology analyst Jennifer Dugan. "They're trying to get it done before the doors close and all that data is rendered less usable to them post-EMV."