Officials say it is the biggest case of identity theft in American history.
They say Albert Gonzalez, 28, and two un-named Russian co-conspirators hacked into the payment systems of retailers, including the 7-Eleven chain.
Prosecutors say they aimed to sell the data on. If convicted, Mr Gonzalez faces up to 20 years in jail for wire fraud and five years for conspiracy.
He would also have to pay a fine of $250,000 for each of the two charges.
Mr Gonzalez used a technique known as an “SQL injection attack” to access the databases and steal information, the US Department of Justice (DoJ) said.
Edward Wilding, a fraud investigator, told the BBC that this method was “a pretty standard way” for fraudsters to try to access personal data.
It “exploits any vulnerability in a firewall and inserts a code to gather information,” he explained.
However, he added that this case probably “involved extremely well researched, especially configured codes, not standard attack codes downloaded from the internet”.
Mr Wilding said there was little consumers could do to protect themselves against this kind of fraud.
“The real vulnerability [for cardholders], I suspect, is internet and telephone transactions. But this is a failure in the configuration of [corporate] firewalls,” he said.
Michelle Whiteman, from anti-fraud organisation Financial Fraud Action UK, said that consumers must check their bank statements regularly and flag up any suspicious transactions to their bank.
She said that online, telephone and mail order fraud were on the increase, along with fraud committed abroad on UK cards, according to figures released in March.
But she stressed that any victim of fraud would “always be refunded in full”.
Mr Gonzales’ corporate victims included Heartland Payment Systems – a card payment processor – convenience store 7-Eleven and Hannaford Brothers, a supermarket chain, the DoJ said.
“We are pleased that the authorities have aggressively pursued this case to be in a position to bring an indictment against the alleged perpetrators of the crime,” said Michael Norton, spokesperson for Hannaford Brothers.
According to the indictment, the group researched the credit and debit card systems used by their victims, attacked their networks and sent the data to computer servers they operated in California, Illinois, Latvia, the Netherlands and Ukraine.
The data could then be sold on, enabling others to make fraudulent purchases, it said.
Mr Gonzalez, who had once been an informant for the US Secret Service helping to track hackers, is already in custody on separate charges of hacking into the computer systems of a national restaurant chain and eight major retailers, including TJ Maxx, involving the theft of data related to 40 million credit cards.
Mr Gonzales is scheduled to go on trial for these charges in 2010.
This latest case will raise fresh concerns about the security of credit and debit cards used in the United States, the BBC’s Greg Wood reports.
Related Posts: On this day...
- Why poor people support tax breaks for the rich? - 2011
- Is the www dead? - 2010
- I want my life back... - 2009
- Planet Earth: Complete BBC Series on Blu-ray for $38 - 2009
- The Big Lebowski 10th Anniversary Edition DVD for $5 - 2009
- Scientists Show DNA Evidence Can Be Fabricated - 2009
- If websites were people - 2009
- Daft Punk to score Tron sequel - 2009
- Olympic logo cops enforce stupid rules with masking tape - 2008
- U.S. at risk of cyberattacks, experts say... - 2008