[...] Roy Banks, general manager of Authorize.Net, said security has always been a priority and that protection was in place. The problem is the attackers caught the company off guard with their methods. 'We've invested heavily in defense, and we thought we were prepared,' he said. 'But the nature of this attack was something we had never experienced.'

Banks said Authorize.Net has 'learned a great deal' from the past week, and will incorporate those lessons into the next round of security upgrades. 'The tactics of these people are evolving,' he said. 'Our security will evolve so we can stay ahead of them in the future.'

Hoekje hopes so. 'As far as my customers are concerned, when my site is down it only reflects on me,' he said.

Tom Corn, vice president of business development for Cambridge, Mass.-based security firm Mazu Networks, said distributed denial-of-service attacks are particularly serious because they take more sophistication and coordination to pull off than typical outbreaks.

"You're dealing with multiple zombie machines that are targeting this one site," he said. "The fact that this is a DDoS against a financial institution is not a good sign for the future. These guys monitor their victims during the attack and adjust their tactics as the victims try to make their own adjustments. It's difficult to recover from something like that."

Information security experts have long worried about the rapid rise of financially motivated attacks. Zimmerman said FBI officials told him such attacks have picked up since June. Corn noted that since April, at least two other credit card sites have been attacked.

"The big lesson is this: If you rely on these big businesses, you have to ask them questions about how secure they are, not just what their rates are," Corn said.