XSS bugs on the websites of the world's largest payment/credit-card proccessors are unacceptable. Most of the world's financial institutions issue a Visa or a MasterCard to consumers. Even if their vulnerable sites do not hold real personal or financial information about consumers, malicious people can still leverage the XSS bugs with phishing techniques to trick millions of unwitting people into sharing sensitive information.
Fraudsters are copying the design of genuine bank websites and embed malicious code in the source code. The code could be anything malicious, from a cookie stealer to a trojan horse downloader and executer or a destructive virus. After they register domain names similar to the genuine ones and they leverage cross-site scripting vulnerabilities to redirect victims to the phishing pages serving crimeware.
Visa and MasterCard sites have been XSSed in the past.
VISA.com XSS flaws:
Discovered and reported by "d3v1l" from Security-Sh3ll.
MasterCard.com XSS flaw:
Discovered and reported by "PaPPy".