Michael's post reminds me of something that happened a few years ago now ...
I was shopping at tesco.com as I am a lazy geek and hate shopping. Anyway the stuff got delivered no problem, but a few days later I spotted an additional transaction, very similar to my real Tesco transaction (same branch, same day, different price IIRC) but definately nothing I ordered.
I queried this with Tesco (thinking it was an administrative error) and long story short, there was an employee at that particular branch putting his shopping through on card numbers used by tesco.com customers.
In their defence, Tesco were great about it, whereas the po-lice were neither use nor ornament, at least in their dealings with me.
I didn't really start this reply with the intention of making a point, but let's just say that a decent firewall, everything patched up, blah blah, none of it stopped me from getting screwed by Teh Int0r-W3b And I consider myself security concious up to the point where any receipts with full CC details get thrown in an ashtray and burnt, if that gives you any indication ... and no I don't have a clubcard ... although I still use tesco.com as I am still a lazy geek and shopping still sucks