Our Verisign security wasn't breeched and our hosting company can not find a breech and we are having them triple check.
...
Forrest
I will keep you posted. Thanks for your support.
As a side note to this Forrest, I am a security guy, and can tell you this...
Certificates are great, but a certificate does not equal security. When you do not physically control the server that the certificate was requested and installed on, you are at the mercy of the security controls of the provider.
What are their practices for securing the private key? The only thing protecting the private key is a passphrase on the certificate key database (probably not under your control).
Any admin working at the provider may have knowledge of the passphrase, any one that knows the passphrase can export the certificate with the private key.
Even if they don't have physical access to your server, they may centrally manage the certificates and have them stored on a central server that an employee might have access to.
With the private key, if you can capture the network traffic to the server at any point (as it comes in to the hosting facility, a span port on any switch in front of it, or on the server itself) you can look at the traffic with wireshark and view it decrypted using the private key.
My point is, I would not discount the hosting company just because they say they don't see any problems with your server. Again, this is an issue that should be escalated to the authorities. You can not say that there for sure is no issue with your verisign cert unless you physically have controlled that, which is not happening if you are in a hosting facility, most likely.
As for discovering anything from the forensics of this issue, you need to stop and take a break here. You or the provider or even just allowing your server to continue transacting business can be destroying evidence. In order to forensically study the server, it should be unplugged (network wise - not power) and left alone until qualified persons can examine it and acquire images of memory and disk. With a provider that is most likely not going to happen unless you have a dedicated server and they are willing to work with you, buy most likely only with the involvement of authorities.
However, there are likely more easy paths to this information. I hear conflicting info here, on one hand I hear that you put in a credit card number in the web server and AHS never sees it, on the other hand I hear people saying they have ordered stuff and get a printed credit card receipt from a terminal. Which is it? What is the path that a credit card number takes through your systems? If it really only hits the web server and then out to the processor, it can only be your web server (or somewhere within the hosting co) or the processor. If you pick up the info or it is fed to you to process manually, then all bets are off.
