> Of course I really hope the Marriott weren't storing CVV in a reversibly encrypted format.
You're not allowed to store the CV2 in any form that could be recovered (i.e. plain text or reversibly encrypted) or brute forced (i.e. hashed/salted). PCI rules say you simply aren't allowed to store the CV2 after the call for an authorisation, as it's no longer required. If they were storing the CV2 then they're in trouble.
The linked article reads like most of that was not encrypted. The CVV wasn't listed as being stored, but CC number, name, and expiry, without the CVV are usable in the US, even online in many cases. A CC charge without CVV doesn't hard fail, so it's the merchants choice as to whether to even ask for it.
But you can buy that information for $1 a pop (or far less if you buy in bulk, think $0.3 or so).
Credit card fraud is far more involved than just getting payment information, you won't succeed at ordering anything of value without understanding how anti-fraud systems work.
Actually using the card information is almost entirely left to the lower-end criminals, it's just ridiculously difficult to scale.
After spending years hanging around in those circles I'm rather convinced that the only people making real money with credit card fraud are the shops, hackers stealing the cards and reshipping services.
The biggest buyers on the shops seemed to be criminal gangs engaging in relatively small-scale fraud maybe moving hundreds of thousands a month.
At the very least you'll need cardholder name and expiry to match up, and hopefully you'll need CVV/CVC as well.
Of course I really hope the Marriott weren't storing CVV in a reversibly encrypted format.