Skip to content

Case Study Technology/Finance Industry

How a Fintech Streamlined PCI DSS Requirement 6.5 and Increased Developer Engagement

Security Journey Case Study FinTech Header
Streamlining PCI DSS Requirements and Engaging Developers
Security Journey Case Study FinTech Header

The Company

The fintech company that boasts the title of “the first payments unicorn in Mexico, is based in Mexico City. Side note: Mexico is the 12th largest economy in the world.

The company provides a wide range of payment solutions that make digital payments simple and easy to access, democratizing financial services in Mexico in the process.


North America

Number of Users


Company Size




Compliance Requirements


The Challenge

Security Journey Case Study FinTech

The results from the security test did not look good. While all the developers had completed their video-based secure coding training, a requirement to check the box for PCI compliance, it was clear from the final report that some development team members had not fully grasped the content. There were patterns in their coding practices that concerned the company. A portion of the development team had missed simple steps that would have eliminated some vulnerabilities.

The development team received secure coding training to fulfill Requirement 6.5 of the PCI DSS specification. But the company needed to do more than check a requirements box. They had to have improved application security. And what they saw was that they needed a better training solution

The fintech company had established a set of criteria for evaluating secure coding training solutions to replace their previous solution. 

  • PCI DSS-specific Content - Fintechs that handle credit card payments and store personally identifiable information (PII) must comply with the PCI Data Security Standard. 

  • Simple Compliance Tracking and Reporting - The company wanted to significantly streamline its ability to track and report on completion of the training so that its administrators didn’t spend tens of hours monitoring and chasing after developers to wrap-up their training in time.

  • Engaging and Effective Platform - After getting feedback from the engineering team that the video-based training the company had used in the past was boring and repetitive, one of the priorities for the new solution was that the platform had to be engaging.

  •  Programming Language Support - The company has hundreds of developers that work in a broad range of different programming languages and they had to be sure the secure coding training supported all of them.

  • Comprehensive Content Coverage - The OWASP Top 10 fulfills the basic PCI requirements. However, due to the nature of its business, the company wanted a secure coding training solution to provide lessons on API security and mobile security.

  • Ease of Deployment - Since the information security team handles many responsibilities, the solution had to be simple to set up and deploy.

  • Buy-in from the Engineering Team - While the information security team was responsible for evaluating and selecting the solution, the engineering team would take the training.

The Solution

We're Here Every Step of the Way

After carefully evaluating HackEDU's secure coding training platform, the company chose to move forward with them. The platform met all the fintech company's requirements they had set for their developers' training. During the proof of concept phase, the company's security and engineering teams became fans.

"When we tested HackEDU, we found the challenges and hands-on lessons attractive for the information security team. Also, the proof of concept for the engineering team was attractive. The platform was cool and interesting".

Simple Deployment

Once the training was rolled out, the company discovered that not only did HackEDU meet its requirements for a new training platform, but it surpassed them in ways they didn't expect. "It was really easy to set up the platform and integrate all users using single sign-on (SSO). We only had to give them access to the platform, and they already had all the mandated courses set up for them by the team. We did the entire rollout in less than two weeks." 


"Something that really got my attention was one user found he had access before the official launch, before the official communications, and he completed the training before it even rolled out."

"Even though our developers are very busy, they are making the time to complete the training. That says to me that they really like the training. I even have people approach and ask for access to other training modules that are not required."

Easy Reporting and Audit Compliance

"One of the criteria we had for selecting a platform was really easy reporting and to see how well everyone's doing in their training. What I like is there's a visual to easily see who's not started the courses. We can easily send out notifications and reminders through the Slack integration.

For compliance, we can easily download the completion report for the people who have finished everything – it's easy to track and provide evidence of completion. It shows the names and completion dates. That's pretty much what we need from a compliance perspective."

Download the Case Study

How a Fintech Streamlined PCI DSS Requirement 6.5 and Increased Developer Engagement