Vamm - 10:17 am on Sep 29, 2006 (gmt 0)

shri: Let's assume the backend (who actually processes the credit card number) is a separate company (and a separate site). The backend processor is typically a high profile (and tough) target, so we forget about attacking it for now.

I see two scenarios possible:

1. The "target" site collects data, including the card number (and CVV) and forwards them to the backend using some sort of script.
The attack is to modify the "target" scripts so that a carbon copy of the data is sent to the attacker.

2. The "target" site does not collect data itself. It rather provides a link to the backend, which prompts for data, then handles the rest of the processing.
In such a case the attacker would just replace the link to point to the fake backend. The fake backend captures the data and either bails out with an error message (database down please check back later) or forwards the data to the real backend processor (so the transaction finally completes).

There are multiple other technical considerations, but I think I've outlined the overall idea.