I would imagine that Gamerstop did not build their payment system all by themselves, and rather rely on a third party.
Any idea what that is? Because either the third party has been compromised, or GamerStop has been compromised. But if the latter is true, then it means that the third party does not enforce proper and secure integration of their system.
My point is that I wouldn't blame GamerStop, but rather the payment system they have been using. And while past consumers of GamerShop need worry about their information, any online customer over the net need worry about sites using crappy payment services.