You don't just "break the encryption algorithm". If the people holding the database can get through AES-256 or 128-bit triple DES, the internet as a whole has far bigger problems than Steam's database being compromised.
This isn't CSI. You don't just throw encrypted text at an implausibly attractive IT guy and wait for him to furrow his brow, declare that it's military-grade encryption that will take him a little while, and then have him decrypt it by the end of the next commercial break. PCI-compliant encryption is the sort of thing that, barring incredible leaps in technology or the discovery of a significant algorithmic weakness, will never be crackable in our lifetime.
Keep in mind he was referring to credit card information, not the credit card number. He mentions this here: "We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked." By credit card information, he's referring to address and name, for example, which, at last check (earlier this year) didn't necessarily require encryption.
That the information had encryption is a good sign.