Case Study Grindset Software: Payment System Pentest for PCI DSS Compliance

Client:

Grindset Software — an international software development company specializing in payment processing and transaction management

Industry:

Software Development

Focus:

Protecting clients’ financial data and ensuring PCI DSS compliance

Main challenge:

Identifying and eliminating vulnerabilities in the payment infrastructure

Market:

International

Services provided:

Black-box penetration testing of the payment system, including assessment of web applications, servers, databases, and communication channels

Key Takeaways

Conducted a black-box penetration test of critical payment system components

Discovered 15 vulnerabilities; 5 critical issues were resolved within 48 hours

Improved attack resilience by 85% and enhanced PCI DSS compliance

vulnerabilities identified

85%

increase in resistance to cyberattacks

hours time to remediate critical vulnerabilities

Case Study Grindset Software: Payment System Pentest for PCI DSS Compliance

May 11, 2025

14 min

Can a single vulnerability in a payment system cost $500,000? Grindset Software decided not to take the risk and turned to Datami to assess the security of its payment system. We conducted a black-box penetration test and identified 15 vulnerabilities. As a result, the company strengthened its resilience to attacks and prepared for PCI DSS certification.

Grindset Software is a mid-sized international IT company that develops software solutions for financial services. Its core focus is on payment systems and transaction processing for businesses. Every day, thousands of users interact with the company’s web platform to make payments.

Operating in the high-risk FinTech sector, Grindset must comply with international PCI DSS standards, making cybersecurity absolutely critical.

Objectives and challenges

Grindset Software processes sensitive payment data, prompting a full security audit due to rising cyber threats, fraud attempts, and the need for PCI DSS compliance.

The goal of the project was to identify potential weaknesses in the cybersecurity of the payment system, assess infrastructure security, and prepare for certification.

Perform a black-box penetration test and evaluate the security of the payment system (web applications, servers, databases, and communication channels)
Identify vulnerabilities in authentication and encryption mechanisms
Prepare a detailed report with technical recommendations and a threat remediation plan

Penetration testing

Black-box penetration testing of the payment system

Vulnerability identification

Identification and prioritization of potential threats across project assets

Report and recommendations

Technical report and action plan to strengthen security and ensure PCI DSS compliance

Datami’s Methodology: Security Testing for Grindset Software

Our approach

Datami conducted a comprehensive security testing for Grindset Software, focusing on critical components of the payment infrastructure — from web services to databases. Special attention was given to data transmission channels, authentication mechanisms, and encryption methods.

A black-box approach was chosen for the penetration test — testing without access to internal technical documentation, closely simulating the behavior of a potential attacker. During the testing process, we used Metasploit, Burp Suite, and Wireshark, combining both automated and manual testing techniques.

Black-box

A security testing strategy that simulates an attack without access to internal system data, mimicking the perspective of an external attacker.

Key project stages and solutions

As part of the project, the Datami team focused on a full audit of Grindset Software’s payment system, including the payment processor, web services, databases, and communication channels.

During the testing process, it was decided to strengthen access control measures and update software components.

Main project stages:

Preparation

Review of documentation, analysis of system architecture, identification of critical components, and development of testing scenarios.
Testing

Execution of a black-box penetration test using both automated and manual techniques, supported by tools like Metasploit, Burp Suite, and Wireshark.
Analysis and Reporting

Compilation of a technical report detailing 15 identified vulnerabilities, along with recommendations for remediation and security improvements to meet PCI DSS standards.

Results and recommendations

At the start of the project, Grindset Software’s payment infrastructure faced significant risks: unsecured data transmission channels and weak authentication mechanisms posed a serious threat of financial data leakage.

During the penetration test, Datami identified 15 vulnerabilities: 5 critical (including potential access to the payment processor) and 10 medium-risk issues.

Due to the complexity of the system, specialized security measures and new access control and data protection methods were required.

Grindset Software received clear recommendations:

implement two-factor authentication;
update outdated software;
conduct regular security testing of the payment system.

After implementing the recommendations, the overall risk level was reduced to medium, and the likelihood of financial data leakage decreased by 85%, helping to prevent over $500,000 in potential losses.

The project was completed in 3 weeks, and all critical vulnerabilities were remediated within 48 hours.

Key project outcomes

In just 3 weeks, Grindset Software, in collaboration with Datami, significantly strengthened the cybersecurity of its payment infrastructure: all key vulnerabilities were identified, PCI DSS compliance was improved, and customer financial data was secured.

All project goals were achieved on time. This case study demonstrates that even FinTech companies require regular penetration testing to prevent data breaches, financial losses, and reputational damage.

Area

Before the project

After implementation

Security status

High risk due to unsecured communication channels

15 vulnerabilities identified and mitigated, 85% increase in security

Critical vulnerabilities

Potential attack on the payment system

5 critical issues resolved within 48 hours

Account compromise risk

High due to weak authentication

Risk reduced through implementation of two-factor authentication

Compliance

Partial PCI DSS compliance

Full compliance achieved after improvements

Timeline

Typically 4–5 weeks

Project completed in 3 weeks

Case Study: DAVITOO UKRAINE – LMS Security Testing Before HIPAA Certification

Completed a full security audit and gray-box penetration test of LMS Collaborator
Identified 15 vulnerabilities, including 5 critical issues, resolved within 24 hours

Services provided:

Gray-box penetration testing and security audit of the web platform, containerized environments, and network interactions

May 11, 2025

BookingSync Case Study: API Pentest for Personal Data Protection

Conducted a gray-box pentest of API endpoints
Identified several low-level vulnerabilities

Services provided:

Gray-box API pentest using Burp Suite API Scan and manual testing methods

May 11, 2025

Case Study: Consulting Company – Security Testing of Web Resources and Infrastructure

Conducted black-box pentest of two web resources and infrastructure components
Identified 19 vulnerabilities: 1 critical, 8 medium, 7 low, and 3 informational

Services provided:

Black-box pentest of two web resources with different domain zones (UA and UK), and assessment of related infrastructure components

May 10, 2025

Back to all cases

Datami articles

Internal Network Penetration Testing: Identify Vulnerabilities Before Attackers Do

Oleksandr Filipov: Security engineer at Datami, author of articles

Internal Network Penetration Testing: Identify Vulnerabilities Before Attackers Do

Learn what an Internal Network Penetration Test is and how to prepare for it. Discover the meaning, stages, and challenges of conducting an Internal Network Pen Testing.

May 8, 2025

Network Penetration Testing: What Is It?

Oleksandr Filipov: Security engineer at Datami, author of articles

Network Penetration Testing: What Is It?

What is network penetration testing? Learn more about the approaches and types of network pentests, the key stages, and the outcomes of a network penetration test.

May 1, 2025

Cybersecurity in healthcare: why hospitals have become a favorite target for hackers

Oleksandr Filipov: Security engineer at Datami, author of articles

Cybersecurity in healthcare: why hospitals have become a favorite target for hackers

Cybersecurity in healthcare is at risk: hospitals face more cyberattacks than banks. Learn how to protect medical data with expert tips from Datami.

Apr 24, 2025

Show all articles

On this page you will learn what cookies are and how and when we use them. Definition of the term Cookies Cookies are pieces of data that a web server generates and that a website stores on your user device (computer, smartphone, tablet, etc.). Each website or third-party service sends cookies to the browser installed on your device only if your browser allows it. This is possible if you have not set any restrictions in your browser settings to save cookies. Browsers are a very well thought out technology. They protect personal data and allow websites to access only cookies that were previously sent to them. Cookies are divided into: session cookies. They are stored in the memory of the browser only during your session, after leaving the site immediately removed. permanent. They are stored in the memory of the browser for a long time. Definition of the term “browser” A browser is an application for browsing websites. The most popular browsers are Chrome, Internet Explorer, Firefox and Safari. All listed browsers are safe. In the settings of these browsers, cookies can be easily disabled, as well as change the settings of their work. You can: accept all cookies; ask the browser to notify when cookies are used; do not accept cookies. Cookies on ak1-3.com.ua and how we use them We use cookies to: our site is more functional; to understand how you navigate on the site, what content you consume better, to develop the content strategy of the site; understand how many visits to the site were per day, month, year. Analyze the geographical identity of users of the site, the number of repeated visits and other data. Cookies that we use on our site. Third-party cookies. The buttons of social networks, videos and some other services of our site are the property of other companies. These companies may also use cookies on your device if you have used them on our site or have been previously registered with them. The privacy policy of the use of personal data by these services can be found on the websites of these services. Blocking cookies All browsers allow simple actions to disable cookies. To disable them, you must go to your browser settings and find cookies in them. But we must remember that blocking cookies can have a negative impact on the performance of many websites. How to delete files You can also always delete cookies that are stored on your computer. To do this, follow the instructions of your browser Again, deleting cookies can have a negative effect on the performance of many websites.