GCP security audit for PCI DSS readiness

Client:

International fintech company

Industry:

FinTech

Focus:

Cloud security audit on the GCP platform

Main challenge:

Protection against unauthorized access to administrative resources and personal or financial data leaks

Market:

International

Services provided:

Cloud penetration testing, cloud security assessment

Key Takeaways

PCI DSS compliance achieved.

Risk of unauthorized access reduced by 90%.

12 vulnerabilities identified and remediated.

Project completed ahead of schedule in 4.5 weeks.

Robust resource monitoring and event logging implemented.

vulnerabilities identified

90%

risk reduction

4.5-

week audit duration

GCP security audit for PCI DSS readiness

Apr 25, 2026

3 min

Can a fintech’s cloud infrastructure be prepared for regulatory requirements in 4.5 weeks? Yes, it can! The Datami team conducted a White-box pentest and Google Cloud security assessment, identifying 12 vulnerabilities, and resolving these reduced unauthorized access risk by 90%.

The client is a fast-growing fintech company specializing in real-time transaction analytics and fraud detection for digital payment platforms and neobanks, serving approximately 200,000 users.

The company processes millions of financial events daily, leveraging Google Cloud infrastructure for data analysis, regulatory compliance management, and machine learning-driven risk assessment.

Tasks and challenges

To enhance infrastructure security and prepare for PCI DSS certification, the client engaged Datami for a GCP security audit.

The company needed to identify configuration and access vulnerabilities for early remediation and to improve its cybersecurity level.

Conduct a comprehensive White-box security audit of the Google Cloud Platform environment.
Identify and prioritize risks that could lead to unauthorized access or data leaks.
Assist in preparing the infrastructure for regulatory compliance.

Object

Audit GCP security: console, Organization, Folders, IAM, storage, network, and monitoring

Standard

Assess configuration compliance with PCI DSS requirements

Result

Technical report including vulnerabilities and a remediation plan

Datami methodology for GCP audit

Our approach

In this project, we conducted White-box penetration testing and cloud security assessment of the Google Cloud Platform environment. Both automated and manual checks were used.

For the cybersecurity audit, Datami specialists used Google Cloud Console, IAM & Admin, Security Command Center, Cloud Identity, Policy Analyzer, Cloud NAT, Cloud Armor, Cloud Run, and Artifact Registry.

White-box

Full-access testing approach for deep system analysis

Key work stages and solutions

The project began with a kickoff meeting to align GCP audit priorities and obtain a test account.

Communication was organized through a real-time chat, where the client received interim progress reports. This ensured rapid data exchange and allowed all testing stages to be completed ahead of schedule.

Preparation

Studying GCP structure and documentation, obtaining access, and setting up tools.
Testing and security assessment

Automated scanning and manual search for vulnerabilities in IAM configurations and network objects.
Result documentation

Analyzing results and checking PCI DSS compliance. Preparing the final report with recommendations.

Results and Recommendations

Project tasks were completed in 4.5 weeks. The security audit reduced the risk of unauthorized access by 90%.

During the pentest, Datami specialists identified 12 vulnerabilities: 1 high, 5 medium, and 6 low.

The client received a clear action plan to strengthen cybersecurity, specifically recommending the following:

configure two-factor authentication (2FA) for all accounts, especially privileged ones;
enable resource monitoring and event logging for timely detection of suspicious activity;
update software library versions and remove unnecessary dependencies.

The fintech company's Google Cloud infrastructure became a managed, secure environment, and compliance levels, following the implemented measures, align with cloud security best practices.

Key Project Results

Default cloud settings can become entry points for attacks. As this cybersecurity case study demonstrates, risks often stem from basic gaps rather than complex attacks.

Through the pentest and security assessment, the client avoided confidential data leaks, preventing potential financial and reputational damage, and prepared for regulatory audits.

Indicator

Pre-project

Post-project

Risk level

High

Low / managed

Compliance with standards

Low (PCI DSS)

Aligns with cloud security best practices

Vulnerabilities

Unknown / unassessed

12 vulnerabilities identified and remediated

Unauthorized access risk

High

Reduced by 90%

More success stories with Datami

Browse other project case studies

Azure Audit for a Government Business Platform

ISO/IEC 27001 and GDPR compliance achieved
Infrastructure set up for the website update launch

Services:

Azure Security Audit (White-box)

Mar 5, 2026

AWS Security Audit for a Recruiting Platform

Threat detection time reduced to 20 minutes.
Full compliance with GDPR requirements ensured.

Services:

AWS cloud environment security assessment (White-Box)

Mar 3, 2026

Mobile App Security Outstaff Audit

Identified dangerous configurations and data leaks
Strengthened security before product launch

Services:

Mobile app pentesting, AWS pentesting, code security audit

Nov 20, 2025

Back to home page

Datami articles

Top 3 Industries with the Highest Number of Critical Cybersecurity Vulnerabilities from Datami Practice

Oleksandr Filipov

Top 3 Industries with the Highest Number of Critical Cybersecurity Vulnerabilities from Datami Practice

Which industries face the highest concentration of critical cybersecurity risks? Based on an analysis of the Datami project results, we identified three sectors where the average number of critical vulnerabilities discovered per project is the highest.

Mar 31, 2026 15 min

Top 4 Most Vulnerable Industries According to Datami

Oleksandr Filipov

Top 4 Most Vulnerable Industries According to Datami

Does the level of cyber risks depend on the industry? Datami analyzed the relationship between the number of vulnerabilities and the business sector of companies and identified the top industries with the highest concentration of weak points.

Mar 27, 2026 10 min

Types of Cybersecurity Vulnerabilities: The Most Common and Critical from Datami’s Practice

Oleksandr Filipov

Types of Cybersecurity Vulnerabilities: The Most Common and Critical from Datami’s Practice

In this article, we outline the main types of vulnerabilities. Based on the results of our projects, we have also compiled top lists of the most common and the most critical ones.

Mar 7, 2026 15 min

Show all articles

On this page you will learn what cookies are and how and when we use them. Definition of the term Cookies Cookies are pieces of data that a web server generates and that a website stores on your user device (computer, smartphone, tablet, etc.). Each website or third-party service sends cookies to the browser installed on your device only if your browser allows it. This is possible if you have not set any restrictions in your browser settings to save cookies. Browsers are a very well thought out technology. They protect personal data and allow websites to access only cookies that were previously sent to them. Cookies are divided into: session cookies. They are stored in the memory of the browser only during your session, after leaving the site immediately removed. permanent. They are stored in the memory of the browser for a long time. Definition of the term “browser” A browser is an application for browsing websites. The most popular browsers are Chrome, Internet Explorer, Firefox and Safari. All listed browsers are safe. In the settings of these browsers, cookies can be easily disabled, as well as change the settings of their work. You can: accept all cookies; ask the browser to notify when cookies are used; do not accept cookies. Cookies on ak1-3.com.ua and how we use them We use cookies to: our site is more functional; to understand how you navigate on the site, what content you consume better, to develop the content strategy of the site; understand how many visits to the site were per day, month, year. Analyze the geographical identity of users of the site, the number of repeated visits and other data. Cookies that we use on our site. Third-party cookies. The buttons of social networks, videos and some other services of our site are the property of other companies. These companies may also use cookies on your device if you have used them on our site or have been previously registered with them. The privacy policy of the use of personal data by these services can be found on the websites of these services. Blocking cookies All browsers allow simple actions to disable cookies. To disable them, you must go to your browser settings and find cookies in them. But we must remember that blocking cookies can have a negative impact on the performance of many websites. How to delete files You can also always delete cookies that are stored on your computer. To do this, follow the instructions of your browser Again, deleting cookies can have a negative effect on the performance of many websites.