A 'secure' PCI enclave
The PCI network and card processing applications were believed to be hardened, segmented, and compliant.
Payment Gateway Systems Security
Identifying weaknesses beyond PCI-DSS compliance to secure a critical payment processing environment.
Overview
A financial services organisation operated a dedicated PCI network zone and several cloud-based applications for processing payment card data. The environment had been validated as compliant with the Payment Card Industry Data Security Standard (PCI-DSS), and the internal team believed it was well secured against attack. As part of their annual assurance process, Cyber Defence was engaged to perform a penetration test to validate the security of the environment and uncover any remaining risks.
What we uncovered demonstrated that compliance does not always equal security.
Challenge
Crack the PCI Network
Assurance requirement
The client requested an internal penetration test to validate secure handling of card data and identify any overlooked issues.
Test the business, not just IT
Our methodology mirrors attackers: start with low privileges and pivot through realistic organisational pathways.
Our approach
The Cyber Defence penetration testing team arrived onsite with user-level access equivalent to a restricted employee—precisely the starting point a real attacker often has.
Initial inspection suggested the environment was well-designed: card data processed on isolated networks, hardened devices, encryption standards met, policies followed. Anyone reviewing only the PCI segment would likely consider it secure and compliant.
But attackers rarely restrict themselves to the PCI scope.
Breaking the wider network
Our testers stepped outside the PCI-DSS boundary and analysed the larger network estate, immediately identifying:
• an outdated, forgotten server accessible to low-privileged users
• a blank administrator password — a critical oversight :contentReference[oaicite:1]{index=1}
• multiple systems sharing identical local accounts
• no monitoring in place for internal lateral movement
From this server alone, our team escalated privileges, accessed sensitive accounts, cracked several passwords, and pivoted deeper into the network. Within hours, we located credentials granting access to network devices and even the payment card servers themselves.
What began as minimal user access became full internal compromise of the client's 'fully secured' PCI environment.
Findings
What we discovered
Fundamental process flaw
A weakness in the client’s internal workflow placed the entire payment environment at risk, despite PCI compliance.
Weak internal administration
Forgotten servers, weak passwords, and shared accounts allowed rapid privilege escalation and lateral movement.
PCI network reachable
Attack paths from non-PCI systems to PCI-scoped servers had never been validated during previous audits.
Impact
Business implications
Exposure of cardholder data flows
Attackers could have gained access to systems that handled or supported payment card operations.
Regulatory risk
Failure to detect the weaknesses could have resulted in non-compliance, fines, or required reassessment.
Operational risk
Privilege escalation on core systems could lead to service outages or tampering with payment processes.
Our remediation guidance
Based on the engagement results, Cyber Defence provided detailed recommendations on:
• segmentation and secure design of supporting systems
• credential hygiene and privileged access improvements
• legacy system lifecycle management
• logging and monitoring for internal lateral movement
• new operational protocols for administrators
These improvements collectively reduced risk far beyond the narrow scope of PCI-DSS compliance.
Outcome
Results
Complete securing of payment card environment
Our findings revealed hidden weaknesses and allowed the client to secure their cardholder data processes end-to-end.
Improved operational practices
The client adopted strengthened administrative controls, reducing the likelihood of similar issues recurring.
Better testing methodology
The engagement demonstrated the importance of full-environment testing—not narrow compliance-driven scoping.
Takeaways
3 Tips for Penetration Test Scoping
1. Always agree your scope in writing
Ensure all stakeholders understand what is being tested and why.
2. Give testers two goals: one realistic and one adversarial
Compliance testing and adversary simulation produce very different findings.
3. Patch and back up your critical systems
Ensure patches and known-good backups exist before test day—just in case.
Need help securing your payment systems?
Cyber Defence performs comprehensive penetration testing, red teaming, and secure architecture reviews for high-risk financial environments.
Speak to our offensive security team to discuss your requirements.