Services Capabilities Industries Cloud Audit Free Scanner Case Studies Use Cases Book a Consultation
Home Use Cases NovaPay Solutions
FinTech Payment Processor Security Audit — Use Case #2

25 PCI-DSS Violations in a Payment Processor:
Card Data Exposed, Transfers Hijacked, Merchants Compromised

A full PCI-DSS focused security assessment of NovaPay Solutions — a FinTech payment processor handling merchant onboarding, card-present and card-not-present transactions, settlement operations, and chargeback workflows. We found plaintext PANs in the database, CVVs stored post-authorization, hardcoded API keys in client-side JavaScript, and a CSRF vulnerability on the payment transfer endpoint that enabled unauthorized fund movement.

6 Critical Immediate risk
7 High Urgent priority
12 Medium Address promptly
25 Total All PCI-DSS mapped

NovaPay Solutions is a FinTech payment processor serving 340 merchants across e-commerce, retail POS, and recurring billing verticals. The platform handles merchant onboarding with MCC code assignment and risk tier classification, processes card-present and card-not-present transactions through a proprietary gateway, manages a card vault for tokenized recurring payments, and operates settlement and chargeback workflows that move real funds between merchant and issuer accounts.

Our engagement began as a PCI-DSS readiness assessment ahead of NovaPay's annual QSA audit. Within the first 3 hours, we discovered that Primary Account Numbers (PANs) were stored in plaintext in the transactions database — no tokenization, no encryption, no masking. The card vault, designed to securely store card data for recurring billing, was also storing full CVV/CVC codes post-authorization, a direct and unambiguous PCI DSS 3.2.2 violation.

The merchant portal contained a SQL injection vulnerability in the search function that gave us direct read access to every merchant's transaction history, settlement records, and cardholder data. Stripe API secret keys were hardcoded in frontend JavaScript, visible to any user inspecting the page source. The payment transfer endpoint — which moves funds between accounts — had no CSRF protection, meaning a crafted link could silently initiate unauthorized fund transfers from any authenticated merchant session.

Over a 4-day engagement, we catalogued 25 findings across merchant operations, payment processing, settlement, and compliance domains. All findings were mapped to PCI DSS v4.0 requirements, SOC 2 Type II criteria, and NIST 800-53 controls. Critical infrastructure remediation was completed within 48 hours.

Client NovaPay Solutions
Industry FinTech — Payment Processing
Active Merchants 340 merchants at risk
Monthly Transaction Volume $12.4M
Engagement Date March 2026
Duration 4 days assessment
Compliance Focus PCI DSS v4.0 + SOC 2 Type II
Risk Score 96 / 100 — CRITICAL
Key Vulnerabilities

25 PCI-DSS Violations Across All Domains

6 Critical, 7 High, 12 Medium — spanning cardholder data exposure, payment flow manipulation, merchant portal exploitation, and compliance infrastructure gaps. Every finding mapped to PCI DSS v4.0.

6 Critical
7 High
12 Medium
25 Total Found
Critical C-01 · PAY-001
Plaintext PAN Storage — No Tokenization or Encryption on Cardholder Data
Primary Account Numbers (PANs) for all 340 merchants' customers were stored in plaintext in the transactions table. No tokenization, no column-level encryption, no data masking. A single database query returned full 16-digit card numbers for every transaction processed in the last 18 months — over 2.1 million cardholder records immediately accessible.
PCI DSS 3.4 PCI DSS 3.5 Cardholder Data Tokenization
Remediation

Implement tokenization via a PCI-compliant vault (Stripe, Basis Theory, or VGS). Encrypt all existing PANs with AES-256. Truncate stored PANs to first-6/last-4 for display. Implement key management with HSM-backed CMKs.

Critical C-02 · PAY-002
CVV/CVC Stored Post-Authorization — Direct PCI DSS 3.2.2 Violation
The card vault was retaining full CVV/CVC security codes after transaction authorization. PCI DSS 3.2.2 explicitly prohibits storing card verification values after authorization under any circumstances. The vault contained 890,000 stored cards with full CVV — a single breach would give attackers everything needed for card-not-present fraud at scale.
PCI DSS 3.2.2 CVV Storage Card Vault SAQ D Violation
Remediation

Purge all stored CVV data immediately. Modify card vault to never persist CVV after authorization response. Implement automated PAN-scan tools to detect any future CVV storage. Update QSA documentation to reflect remediation.

Critical C-03 · PAY-003
Hardcoded Payment API Secret Keys in Frontend JavaScript
Stripe API secret keys (sk_live_*) were embedded directly in the merchant portal's client-side JavaScript bundle. Any user inspecting page source had full access to create charges, issue refunds, transfer funds, and read all customer payment data through Stripe's API. The keys had been in production for 9 months with no rotation.
PCI DSS 6.3.2 Secret Exposure Stripe API Client-Side
Remediation

Rotate all exposed Stripe keys immediately. Move all payment API calls server-side. Use only publishable keys (pk_live_*) in frontend code. Implement pre-commit hooks to scan for secret patterns.

Critical C-04 · MERCH-001
SQL Injection in Merchant Portal Search — Full Database Access
The merchant portal search endpoint used string concatenation for SQL queries. Injecting ' UNION SELECT pan,cvv,expiry FROM cards-- returned full cardholder data from the card vault. We demonstrated extraction of all merchant records, transaction histories, settlement amounts, and internal admin credentials — all from the unauthenticated search field.
OWASP A03 PCI DSS 6.2.4 SQL Injection Data Breach
Remediation

Replace all string-concatenated queries with parameterized prepared statements. Implement input validation and WAF rules. Restrict database user permissions to minimum required. Enable query logging and anomaly detection.

Critical C-05 · PAY-004
Payment Transfer Endpoint Has No CSRF Protection — Unauthorized Fund Transfers
The POST /api/transfers endpoint accepted authenticated requests with no CSRF token validation. A crafted HTML page — delivered via phishing or XSS — could silently initiate fund transfers from any authenticated merchant session. We demonstrated moving $10,000 between merchant accounts using only a hidden form auto-submit, with no user interaction required beyond visiting the page.
OWASP A01 CSRF PCI DSS 6.2.4 Fund Transfer
Remediation

Implement CSRF tokens on all state-changing endpoints. Use SameSite=Strict cookies. Add re-authentication for high-value transfers. Implement transfer velocity limits and anomaly detection alerts.

Critical C-06 · PAY-005
Magnetic Stripe Track Data Stored in Database — Complete Card Cloning Vector
Card-present transaction records contained full magnetic stripe Track 1 and Track 2 data in the raw_transaction_data column. PCI DSS 3.2.1 prohibits storing track data after authorization. Track data contains everything needed to clone a physical payment card — 340 merchants' in-store transactions over 6 months provided a card cloning dataset for tens of thousands of cards.
PCI DSS 3.2.1 Track Data Card Cloning Card-Present
Remediation

Purge all stored track data immediately. Modify POS integration to strip track data after authorization response. Implement automated scans to detect any sensitive authentication data in storage. Add column-level monitoring.

High H-01 · MERCH-002
Broken Access Control on Chargeback Endpoints — Cross-Merchant Data Access
The chargeback management API performed no merchant-level authorization checks. By modifying the merchant_id parameter, any authenticated merchant could view, respond to, and accept chargebacks belonging to other merchants. We accessed chargeback details — including cardholder names, transaction amounts, and dispute reasons — for all 340 merchants from a single test account.
OWASP A01 IDOR PCI DSS 7.2 Multi-Tenant
High H-02 · PAY-006
Transaction Logs Stored in Public S3 Bucket — Cardholder Data in Access Logs
Payment gateway access logs — containing full request/response bodies with PANs, merchant IDs, and settlement amounts — were stored in a publicly accessible S3 bucket. The bucket contained 14 months of transaction logs totaling 2.3TB. Unauthenticated aws s3 ls confirmed public read access to all objects.
PCI DSS 3.4 AWS S3 Data Exposure Access Logs
High H-03 · PAY-007
Webhook Signature Verification Missing — Payment Event Forgery
Incoming payment webhooks from Stripe and card network processors were accepted without signature verification. We crafted forged webhook payloads that triggered settlement credits, marked disputed transactions as resolved, and modified merchant payout amounts. No authentication or HMAC validation on any of the 12 webhook endpoints.
OWASP A07 Webhook Security PCI DSS 6.2.4 Event Forgery
High H-04 · PAY-008
No Rate Limiting on Payment API — Automated Card Testing Possible
The payment authorization endpoint had no rate limiting, velocity checks, or fraud scoring. We submitted 10,000 low-value authorization requests in 3 minutes to test stolen card numbers. This is a standard carding attack vector — fraudsters use payment processors without rate limiting to validate stolen card databases before executing high-value fraud.
PCI DSS 6.4.1 Rate Limiting Carding Attack Fraud Prevention
High H-05 · MERCH-003
Insecure MCC Code Assignment — Risk Tier Manipulation by Merchants
Merchant Category Code (MCC) assignment was modifiable through the merchant self-service API. Merchants could change their own MCC code to a lower-risk category — reducing their processing fees and bypassing enhanced due diligence requirements. High-risk merchants (gambling, adult content, pharmaceuticals) were able to reclassify themselves as standard retail, evading card network compliance requirements.
PCI DSS 12.5 MCC Fraud Risk Classification Card Network Rules
High H-06 · PAY-009
API Keys Transmitted in URL Query Parameters — Access Log Leakage
Merchant API keys were passed as URL query parameters (?api_key=sk_live_...) instead of request headers. API keys appeared in web server access logs, CDN logs, browser history, and referrer headers. Every intermediary between the merchant and NovaPay could read the authentication credentials — a violation of PCI DSS transport security requirements.
PCI DSS 4.2.1 Transport Security OWASP A07 Credential Exposure
High H-07 · SETTLE-001
Missing Audit Trail on Settlement Operations — Fund Movement Untracked
Settlement batch processing — which moves real funds from NovaPay's holding account to merchant bank accounts — had no audit logging. We could not determine who initiated settlements, what approvals were given, or whether settlement amounts matched authorized transaction totals. Manual settlement overrides left no forensic trace. A compromised admin could redirect settlement funds with zero accountability.
PCI DSS 10.2 SOC2 CC7.2 Settlement Audit Logging
Medium M-01 · TLS-001
Weak TLS Configuration — TLS 1.0 and 1.1 Still Accepted
The payment gateway accepted TLS 1.0 and TLS 1.1 connections. PCI DSS 4.2.1 requires TLS 1.2 minimum for all cardholder data transmission. These deprecated protocols have known vulnerabilities (BEAST, POODLE) that enable man-in-the-middle decryption of payment data in transit.
PCI DSS 4.2.1 TLS POODLE Transport Security
Medium M-02 · WEB-001
Missing Content Security Policy Headers on Merchant Portal
The merchant portal had no Content-Security-Policy, X-Frame-Options, or X-Content-Type-Options headers. Combined with the existing input validation gaps, this left the portal vulnerable to XSS injection and clickjacking attacks that could steal merchant session tokens and payment API keys.
OWASP A05 CSP Clickjacking XSS
Medium M-03 · AUTH-001
Session Tokens Not Invalidated After Password Change
Changing a merchant account password did not invalidate existing session tokens. If an attacker compromised a merchant session, the legitimate user changing their password would not force the attacker out. Old sessions remained valid indefinitely, defeating the primary incident response action of password rotation.
PCI DSS 8.3.9 Session Mgmt OWASP A07 Incident Response
Medium M-04 · NET-001
No IP Whitelisting on Admin API Endpoints
Administrative API endpoints — including settlement batch controls, merchant suspension, and system configuration — were accessible from any IP address. No IP allowlisting, VPN requirement, or network-level access control. PCI DSS 1.3 requires restricting administrative access to trusted networks.
PCI DSS 1.3 Network Access Admin API NIST AC-3
Medium M-05 · COMP-001
PCI DSS Self-Assessment Questionnaire Gaps — 40% of Controls Undocumented
NovaPay's PCI DSS SAQ-D was incomplete — 40% of required controls had no documentation, no evidence, and no implementation. Network segmentation testing, quarterly ASV scans, and annual penetration testing had never been performed. The upcoming QSA audit would result in a non-compliant finding across multiple requirement categories.
PCI DSS 12.1 SAQ-D QSA Audit Documentation
Medium M-06 · MERCH-004
Merchant Onboarding Lacks KYC Verification — Identity Fraud Risk
New merchant accounts could be created with no identity verification, no business validation, and no sanctions screening. The onboarding flow accepted any business name, EIN, and bank account without cross-referencing OFAC lists or running standard KYC checks. This enabled money laundering, sanctions evasion, and fraudulent merchant accounts.
PCI DSS 12.5.2 KYC OFAC AML
Medium M-07 · SETTLE-002
Settlement Files Transferred via FTP — Not SFTP or FTPS
Daily settlement batch files — containing merchant bank account numbers, routing numbers, and settlement amounts — were transferred to the acquiring bank via unencrypted FTP. Settlement data traversed the public internet in plaintext. PCI DSS 4.2.1 requires strong cryptography for any cardholder or sensitive financial data transmitted over open networks.
PCI DSS 4.2.1 FTP Plaintext Settlement
Medium M-08 · DATA-001
Database Encryption at Rest Not Enabled — Cardholder Data on Unencrypted Volumes
The PostgreSQL database storing all cardholder data, merchant records, and transaction history ran on unencrypted storage volumes. A compromised backup, stolen disk, or unauthorized snapshot would yield the entire cardholder data environment in plaintext. PCI DSS 3.4.1 requires rendering stored PANs unreadable — encryption at rest is a baseline expectation.
PCI DSS 3.4.1 Encryption at Rest NIST SC-28 Database
Medium M-09 · COMP-002
No Penetration Testing Schedule — Never Tested by External QSA
NovaPay had never undergone an external penetration test. PCI DSS 11.4.1 requires annual penetration testing by a qualified assessor. Internal security testing was ad-hoc with no methodology, no scope definition, and no findings tracking. The engagement that produced this report was NovaPay's first professional security assessment in 3 years of operation.
PCI DSS 11.4 Penetration Testing QSA Annual Testing
Medium M-10 · WEB-002
Error Messages Expose Internal Stack Traces and Database Schema
API error responses returned full Node.js stack traces, PostgreSQL error messages with table and column names, and internal file paths. Attackers used these to map the database schema (identifying the cards, transactions, and settlements tables), which directly aided the SQL injection exploitation.
OWASP A05 Info Disclosure PCI DSS 6.2.4 Stack Traces
Medium M-11 · NET-002
No Web Application Firewall — Payment Endpoints Unprotected
No WAF was deployed in front of any payment endpoint, merchant portal, or API gateway. SQL injection, XSS, and automated attacks hit the application layer directly with no filtering, no rate limiting at the edge, and no bot detection. PCI DSS 6.4.2 requires a technical solution to detect and prevent web-based attacks for public-facing applications.
PCI DSS 6.4.2 WAF Edge Security Bot Detection
Medium M-12 · COMP-003
No Incident Response Plan — Payment Breach Response Undefined
NovaPay had no documented incident response plan. In the event of a cardholder data breach, there was no defined process for breach notification (to card networks, merchants, or cardholders), no forensic investigation procedure, no evidence preservation protocol, and no regulatory reporting timeline. PCI DSS 12.10 requires a documented and tested incident response plan.
PCI DSS 12.10 Incident Response Breach Notification SOC2 CC7.4
Compliance Coverage

Frameworks Tested & Mapped

Every finding was mapped to the frameworks that apply to payment processors handling cardholder data, merchant financial information, and fund settlement operations.

PCI
PCI DSS v4.0
Payment Card Industry Data Security Standard — the primary compliance framework for any entity storing, processing, or transmitting cardholder data. NovaPay's plaintext PAN storage, CVV retention, and missing network segmentation represent direct violations across Requirements 3, 4, 6, and 11. Pre-assessment: 6 of 12 requirement categories failing.
50% passing — 6/12 requirement categories
Pre-remediation: QSA audit will fail
SOC
SOC 2 Type II
Required by enterprise merchants evaluating NovaPay as a payment partner. Critical failures in CC6 (Logical Access — broken IDOR, missing MFA), CC7 (System Operations — no audit logging on settlements), and CC9 (Risk Mitigation — no incident response plan). 7 of 20 trust service criteria failing.
65% passing — 13/20 criteria
Pre-remediation: 65% — Multiple criteria failing
NIST
NIST 800-53 Rev 5
Adopted by NovaPay's enterprise banking clients as a security baseline requirement. Findings mapped to Access Control (AC-3, AC-6), Audit & Accountability (AU-2, AU-12), System & Communications Protection (SC-8, SC-28), and System & Information Integrity (SI-2, SI-10) families. 8 control families with active gaps.
Pre-remediation: 8 control families with gaps
Video Walkthrough

See the Audit in Action

Watch us walk through the NovaPay findings live — demonstrating the SQL injection exploit chain, plaintext PAN extraction, CSRF fund transfer, and webhook forgery attack. Coming soon.

FinTech Payment Processor Security Audit · March 2026
25 PCI-DSS Violations — Card Data to Fund Transfer Hijack
NovaPay Solutions · FinTech · Sentinel Stacks
Video coming soon Covers SQL injection to cardholder data extraction, CSRF fund transfers, webhook forgery, and the full PCI-DSS remediation walkthrough
Coming Soon
More Use Cases

Additional Audit Walkthroughs

Complete audit walkthroughs across different industries and threat profiles — each covering a distinct compliance framework and attack surface.

DataVault CRM
Financial SaaS
21 OWASP Top 10 vulnerabilities in a financial services CRM: SQL injection, plaintext SSNs and card numbers, exposed .env config, broken JWT auth. All 21 findings remediated in 14 days.
Live — Read full audit
NeuralPath AI
AI / ML
ML model serving platform audit: 4.2TB training data on public S3, model weights unauthenticated, Pickle RCE, privileged container escape. 25 findings, risk score 89.
Live — Read full audit
CloudReach SaaS
AWS Cloud
Multi-account AWS infrastructure audit: public S3, wildcard IAM roles, GuardDuty off in every region, Terraform state exposed. 25 findings, risk score 92.
Live — Read full audit
MedFlow Analytics
Healthcare
HIPAA-focused cloud audit: unencrypted PHI at rest in S3, overly permissive IAM, missing audit logging on PHI access. 19 findings, full NIST 800-53 alignment.
Case study in progress

Is Your Payment Infrastructure Secure?

If you're processing payments, PCI-DSS compliance isn't optional. We'll find what your QSA will find — before they do.

Run Free Scanner Book a Consultation