Keeping it secret is difficult. A customer decided to add credit card transactions to the booking and reservation program when their service contract was up. Shouldn't be a problem i thought but I was told about it only 4 hours after implications. Their software couldn't negotiate the proxy properly so I went on site. After double checking settings with no luck, I decided to sniff the packets to see if there was a clue there. Immediately I noticed they were sending the CC information in clear text. They acted like I was hacking their program until I finally got them to ask one of their developers about it. I had to threaten to disclose their noncompliance with pci standards for them to even do that.
Now they had one of their developers dealing with me on the inability to negotiate a simple proxy. Never could get it to work and ended up having to install a second gateway for the one computer that processed the cc payment basically bypassing the IDS and real time virus/malware scanning. There was a package they built for a test system that worked but the company (management not the developer) refused to implement it live because of some expensive testing. I called bullshit because their supposed previous testing allowed them to fail encryption of the information.
Next year - they didn't renew the contract and went with another setup altogether that was mainly web based. That created another issue of redundant internet in a remote location but was easier to implement than the CC issue.