CASE STUDY
ÉTUDE DE CAS
How tikpay wins transport contracts competitors can’t qualify for with a lean team and Vanta
.webp)
"Vanta is amazingly powerful when you’re a tiny team and you don’t have the time. It takes so much of the load off you. I wouldn’t want to do it without the platform."
TL;DR
- Challenge: tikpay needed PCI DSS, ISO 27001, SOC 2 Type 2, and GDPR to unlock enterprise transit contracts, but manual compliance was consuming the CTO's time and stalling revenue.
- Solution: tikpay consolidated all four frameworks in Vanta, using cross-framework control mapping, automated evidence collection, and Vanta AI to run compliance with a lean team.
- ROI: Completed ISO 27001 and SOC 2 Type 2 in approximately two months, now tikpay is a Translink-approved ticketing and payment provider, helping close contracts with two of the region's largest bus operators.
The company
Modernizing transit payments for operators and authorities across Australia
tikpay is a cloud-native, account-based ticketing and payments platform that lets travelers pay for buses, trains, and ferries using any credit or debit card—no proprietary hardware or closed-loop cards required. Founded in 2023 and backed by venture capital, the company offers a vendor-agnostic alternative to legacy transit payment incumbents, giving regional operators and government authorities a modern, lower-cost path to open-loop fare collection.
The challenge
Chasing certifications manually cost tikpay time and deals
Operating at the intersection of fintech, transit, and government, tikpay competes for contracts where enterprise-grade security credentials are a hard prerequisite, making compliance infrastructure critical.
What tikpay tried first: tikpay initially worked through an external audit partner for PCI DSS compliance, but Simon O'Connor, CTO, still found himself hunting for policy templates online, writing documentation from scratch, and absorbing weeks of work with little structured guidance from the auditor.
tikpay's pivot point: The pressure sharpened when tikpay began pursuing government tenders and enterprise operator contracts. These prospects wouldn’t do business without ISO 27001, SOC 2 Type 2, and GDPR. However, every week Simon spent on manual compliance was a week not spent on product. He needed a way to pursue multiple frameworks in addition to PCI DSS without scaling headcount.
Why tikpay chose Vanta: The tikpay team decided to work with Vanta after seeing how cross-framework control mapping would make PCI DSS work carry directly into ISO 27001 and SOC 2, making the remaining certifications structurally achievable at tikpay's size.
The Vanta impact
From manual scrambles to closing government contracts
tikpay went from chasing certifications manually to closing government contracts that competitors couldn't qualify for—without hiring anyone.
Here's how tikpay deployed Vanta:
As tikpay scales into new geographies, Vanta provides the compliance infrastructure to move without rebuilding from scratch.
{{quote-2}}
.webp)