National Specialty Retailer
PCI-DSS scoping review, segmentation testing, and external pentest for a national retailer running both physical POS and a high-traffic e-commerce platform.
Reduced the in-scope cardholder data environment by ~60% through targeted segmentation. Identified three exploitable issues in the e-commerce checkout flow and validated segmentation between corporate, store, and CDE networks. Client passed their next QSA assessment with no major findings.
The client had grown through acquisition and inherited a sprawling, ill-defined cardholder data environment that was driving up assessment costs and audit fatigue. They wanted both a smaller PCI footprint and the technical assurance that the new boundaries actually held.
We started with a scoping workshop and dataflow review that identified several systems incorrectly marked in-scope and several store networks that needed to be properly segmented. We then ran segmentation testing to validate the redesigned boundaries — confirming that the corporate, store, and CDE networks were genuinely isolated, not just logically separated on paper.
On the e-commerce side, the test surfaced a Stored XSS in the order-notes field accessible to support agents, a session-binding flaw, and an over-permissive S3 bucket holding archived order exports. All were remediated and retested before the next QSA cycle.