I don't think the attackers are after your credit card records as much as they are after using your network as one base amongst thousands of others to perform illicit compute, generate traffic to a victim network, etc. That is: the attack is outbound from you to the victim, not inbound to you as the victim (at least not beyond the initial beachhead).