I think the point is that if an attacker gets source code access to your
website, they could change the page so that it submits to evilserver.net
instead of authorize.net. If they were more subtle, they could insert
javascript code to send the data t...