Visa Europe have recently released an alert concerning the targeting of merchants using a redirect model for processing payments, where the customer is redirect to a third party payment page where the payment transaction is handled. These attacks involve compromising the merchant website and manipulating the redirect in such a way as to compromise the customers credit card details.

This is the first time this particular risk has been identified as an active target for hackers. Under the current system of categorising small merchants, this method of processing credit card payments is viewed as low risk as the merchant does not have 'store, process or transmit' credit card data. However it seems that even though this is the case, the risk is not fully transfered to the third party payment provider if the attacker can directly manipulate the page that the customer is redirected to.

The full details of the alert can be found here.