The card readers that I've worked with do their encoding at the reader. They should only be showing the user (the clerk) something like the last 4 digits, if anything.
From what others said, based on the vague information released, it sounds like the card readers had firmware updates that allowed this to happen.. I still see two tremendously troubling things.
1) If it was someone in-house who did that, how the hell were they allowed to do that.
2) Even if the firmware captured all the card, why was it allowed to send out to a 3rd party destination. If it's all on private circuits, they simply wouldn't have a way to talk out. Obviously, they did, or else it wouldn't have been a breech.