> I would spend 30 minutes writing a Nagios script to verify the web content on the remote server periodically (every 24-hours)
(Static) web content isn't the issue.
There was almost certainly something generating dynamic pages on the backend (PHP, JBoss/Struts, maybe some web framework), and it wasn't being patched regularly. Or else the application code itself was written insecurely. Either way, the attacker exploited some vulnerability to add additional code that did the dirty. It could, for example, have installed a cron job which sent out the credit card details periodically.
Protecting the *whole* system with something like tripwire might have alerted them sooner though.
Biting the hand that feeds IT
