US police have made the first arrests following a 2008 data breach at Heartland Payment Systems.
The credit card numbers were used to make fraudulent purchases at local Wal-Mart stores totalling at least $100,000 in actual and declined transactions.
Leon County police said the investigation will continue and is likely to produce additional charges and arrests.
Heartland, which faces class action law suits for failing to protect customers from identity fraud, has announced a dedicated department to encrypt data on its systems.
Despite being compliant with the Payment Card Industry Data Security Standard (PCI DSS), cybercriminals were able to gain access to Heartland's systems.
The PCI DSS does not currently require that credit card data be encrypted on internal networks, which Heartland says it will now implement.
The first Heartland-related arrests come a week after a data breach at US-based RBS WorldPay was linked to a gang that used cloned debit cards to steal millions of dollars.
The FBI has released images of thieves believed to be part of a gang that took money from ATMs in 49 cities around the world using cloned debit cards in late November.
The thefts stemmed from a data breach at RBS WorldPay in which hackers stole the personal data of 1.5 million card holders, in early November.