With a control system for cash registers, the Swedish Tax Agency intends to make transaction data available in a more flexible way by transferring data to a database server. The transaction data of the control system are private and must be protected. However, systems that are connected to a network can be vulnerable to cybersecurity attacks where attackers use security vulnerabilities to steal, modify, and destroy private and sensitive information. To contribute to new knowledge, the aim of this thesis was to research and present which type of vulnerabilities could be present in a control system for cash registers. In addition, an appropriate method that could be used in future research was created for the use of penetration tests in a control system or similar systems. To gather empirical data, an observation of the use of the penetration tests as well as the results obtained by the tests were made. The results of the penetration tests showed that, the data generally are transferred in a secure manner but a severe type of vulnerability in the Oracle database server was also found. In this study, the exploitation of the vulnerability was left out of scope. We have not proven that the vulnerability who was found could be exploited and whether confidentiality, integrity and availability could be compromised in the event of a successful attack.