How to: Breaching Cardholder Data in 50 hours

If you are unfamiliar with penetration testing and red teaming practices, there are a few different types of projects or “engagements” that you will be exposed to. In this write-up, I was able to gain unauthorized access into my customer’s Cardholder Data Environment (CDE) in a Payment Card Industry Data Security Standard (PCI-DSS) internal penetration testing.

What differentiates PCI testing with a regular internal penetration testing?
In short — they have different objectives. Regular testing aims to access sensitive information, which can usually be…