To be fair, depending on what the back channel is used for, and how, the associated security risk may be small or even non-existent.
Until relatively recently the systems I’m responsible included such a back channel from a major payment gateway (not RedSys) which was over HTTPS because all our systems for machines only speak HTTPS, but all that was communicated over this link was essentially a series of messages like this:
“Hi I’m your payment gateway and I promise customer XYZ has just paid you $8.45”
No card details are moved, no authentication or credentials, about the worst I can imagine an attacker doing is either to block access (so that your system doesn’t know it was paid and maybe customers are inconvenienced) or to send a lot of spurious “payments” with guessed customer IDs and hope to choke your systems up that way.
Spying on this channel could I guess be valuable industrial espionage? Knowing how many sales you’re making? But they could also, much more easily, just count how many connections are made and guess from that even if you use SSL.
It’s important that the service used to transport customer credentials and authorize payments is properly secured, but the back channel is not part of that service in any payment gateway I’ve seen.
Also, and perhaps unknown to even most retailers, let alone ordinary card holders, the credit card system pre-dates real computerisation, so the Settlement step where your money is actually spent is not authenticated or secured in any way. Any VISA accepting company anywhere in the world can tell VISA that oh yeah, your card was used and you owe them $484.31 and VISA will pass that to your issuer who will expect you to pay $484.31, and ONLY if you refuse to pay will anybody investigate and find that the company has no proof whatsoever you owe a penny. All that stuff with card swiping, or even typing PINs into terminals, that’s the Authorization step, which is purely advisory and not required to move the money, it just provides proof if you later refuse to pay. So, check your card statements carefully. This was a Public Service Announcement.