Re: PCI DSS?
"My money is on an admin password on a post-it note stuck to a monitor near a window."
Nothing so esoteric. Flash back to the '90s when most breaches of this type were engineered simply by Billy Cracker phoning in and asking... err, demanding access via: "I don't have time for this, give me access right now, or clean out your desk!"
Nobody remembers the past.