Usually, when a hacker goes for a large company it’s for extortion. They steal records and say they will go public with the info if the company doesn’t fork over a bunch of money. But it takes real skill to pull it off.
Smaller sites are much easier targets and are a lot easier to crack into. They use software to hammer a site/server looking for loop holes they can use to exploit to grab a database, or cease control of the site/server.
Most store owners probably don’t know when they’ve been exploited and the credit card holders don’t realize they’ve been duped until their statement shows up or the bank calls them. There is a black market on the Internet for stolen credit cards. These are mainly credit cards and customer info which has been stolen from online stores with poor security policies. So you never can be too careful.
Working in this field and seeing how lax some programmers are about security concerns (not to mention the store owners themselves), I certainly don’t put any trust in small independent online stores. It’s always the phone or Paypal for me.