Even though what this AC said isn't very helpful, it expresses frustration with what happened. I think it deserves a better response.
Lots of posts here say we should punish the malware author very severely. I say punish him like a small town vandal. Give him a talking to, maybe make him give up his earnings, tell his parents, and then leave him alone.
You're missing the actual criminals here:
1. The people who installed this malware.
2. The people who sold the credit card records.
These guys deserve the full brunt of the law for damages done.
But even those guys don't deserve the strongest of punishment. The harshest criminal proceedings should be meted out to the CIO and CEO of Target (and Needless Markup et al :-). They should be held criminally liable for not securing customer credit card information. Surely with the myriad of laws that congress has passed there has to be some law or statute around storage and transmission of financial records that would stick. Sadly I feel like I'm deluding myself with that hope.
I imagine even one single CIO going to jail or merely facing a judge during criminal proceedings would make a much bigger change in how financial information is treated by officers of companies in the US.
This situation avoidable. We have technology that mitigates these risks enormously. What keeps theft of credit card information from ending is that the people who make decisions don't need to care. Make that change and the network effects might do the rest.