PCI has been hounded with concerns that the criteria are too vague. Is the Hannaford breach an instance where a retailer met the letter of the regulation but not the spirit? Did the PCI regulation miss a vulnerability that was exploited? If so, the standard needs to be tightened. Actually, that's probably the case any way, this this would just add justification to the argument.

Was the retailer in compliance at the time of the audit but then fell out of compliance? If so, retailers have to address this so PCI does not become a simple "check the box" operation which undermines the credibility of PCI.
Then there are questions about liability and third parties. It seems Hannaford was reviewed during the time the breach according to Infoworld:

This question is further complicated by the timeline of the Hannaford breach. According to The Associated Press, the attack commenced on Dec. 7 but wasn't discovered until Feb. 27 and wasn't contained until March 10. At the same time, a separate report quotes a Hannaford spokeswoman as saying the retailer was certified as compliant in February--the same timeframe in which the breach was ongoing. If a third-party assessor certified the retailer as compliant during an attack, surely it must share some of the responsibility.

The questions around this breach and PCI fall into two categories: how did the breach occur and was the retailer PCI compliant, which is of primary importance to the retailer and its customers; the second category deals with PCI, auditing standards and on going compliance, which is of primary importance to the rest of us.

This incident looks like a promising case study for improving PCI but it is too early to tell. We don't have enough data yet to answer the second set of questions and trying to fix a problem without understanding it is pointless.