From what has been said, there is no indication they were storing the CVVs. The attack appears to have compromised the front end and transmitted details to a third-party as they were entered. Thus leaking the CVV (and any other payment data entered during the transaction) but not allowing access to any stored data.