my narrow understanding of the issue is that the breach did not occur on AHS servers or via their site. from their earlier posts, it sounded like they believed it occurred with their payment gateway provider as they referenced they were moving to a new provider... payment gateway providers are necessary for every business that accepts credit cards or plastic. if the breach was indeed with them, then chances are excellent that AHS customers were not the only ones affected, it could be customers from hundreds of other merchants who dont have a homebrew forum.
so before we asll go down the road of convicting AHS of not protecting our info, it might be wise to do what you have to do to protect yourself (change your card) and then wait and see what happens/what the story is after the investigation is complete.
if it is a vendor of AHS that has caused the issue, it will be obviously in the best interest of AHS to let their customers know that, and advise how they have responded (we have rec'd hints of that already), but it is also important to know that they will not be prepared to make a formal statement on the matter until they are absolutely sure that it is not their systems or processes that were compromised or at fault.
does this not make sense to everyone?
people do understand how ecommerce sites can work right? you place the order, the card number gets validated and reserved for the funds through a gateway like authorize.net, if the merchant does not process the transactions through the site, but does so manually, then they can login to authorize.net and review the days transactions, process them from authorized to posting and batch process them to begin the movement of funds from one place to another..in this instance, the numbers and the data pretty much remain on the authorize.net site, there is not necessarily any local typiing of numbers into a keypad, there is not necessarily any record of a number stored in any local system... the merchant gateway is serving the purpose of both authorizing the funds are available and as a remote cloudbased transaction terminal. not im not saying this is how AHS is doing it, just that, it could be doing it this way... again, based on my interpretation of their statements made thus far.
in other words, there is not necessarily deception at play here, it may be that consumers just dont have a solid idea of how the transaction is completed when they type their credit numbers into the internet site.