If the hack is stealing card details in real time, most likely it means the checkout page scripts have had code inserted to pass the credit card number off to a site somewhere else that the shyster controls. It could be done without affecting the normal functionality of the site, so the store owner would probably not notice it was happening.
Achieving write access to modify checkout or other pages seems unlikely, but I've seen it done surprisingly often. A vulnerability like SQL injection can be used to gain back end admin access to the web site, from there one has the ability to upload images and downloadable files for product data. This upload capability can be exploited to upload a script with functions to enable you to write files. From here you can modify any file you like.
- use parametrized SQL queries to avoid SQL injection
- lock down back end systems by IP as well as just username/pw
- ensure file uploads even in the back end are hardcoded to only accept a limited range of file types
- don't have write permissions set in folders that can run scripts, or script permissions set in folders that accept uploads
I should add that the PCI certification system is a total joke. What it should do is make it 100% clear that most businesses should not be handling card data online at all, and should put a clear recommendation that the preferred route for most businesses should be to use a payment system where the card transaction happens off-site. I'm fed up of reading web advice to users that if they see the SSL padlock, they are safe, even when they have no idea what happens to their card details at the other end.