CASE STUDY
ÉTUDE DE CAS

How tikpay wins transport contracts competitors can’t qualify for with a lean team and Vanta

COMPANY
ENTREPRISE
tikpay
LOCATION
EMPLACEMENT
Melbourne, Australia
INDUSTRY
INDUSTRIE
Fintech
PARTNER
PARTENAIRE
EMPLOYEES
EMPLOYÉS
10
SOLUTION
SOLUTION

PCI DSS, ISO 27001, SOC 2, GDPR, Trust Center

VANTA CUSTOMER SINCE
ANNÉES AVEC VANTA
2024
ISO 27001 + SOC 2 Type 2 completed in ~2 months

Became preferred supplier with Queensland government

No new headcount required

"Vanta is amazingly powerful when you’re a tiny team and you don’t have the time. It takes so much of the load off you. I wouldn’t want to do it without the platform."

Simon O'Connor
CTO, tikpay

TL;DR

  • Challenge: tikpay needed PCI DSS, ISO 27001, SOC 2 Type 2, and GDPR to unlock enterprise transit contracts, but manual compliance was consuming the CTO's time and stalling revenue.
  • Solution: tikpay consolidated all four frameworks in Vanta, using cross-framework control mapping, automated evidence collection, and Vanta AI to run compliance with a lean team.
  • ROI: Completed ISO 27001 and SOC 2 Type 2 in approximately two months, now tikpay is a Translink-approved ticketing and payment provider, helping close contracts with two of the region's largest bus operators.

The company

Modernizing transit payments for operators and authorities across Australia

tikpay is a cloud-native, account-based ticketing and payments platform that lets travelers pay for buses, trains, and ferries using any credit or debit card—no proprietary hardware or closed-loop cards required. Founded in 2023 and backed by venture capital, the company offers a vendor-agnostic alternative to legacy transit payment incumbents, giving regional operators and government authorities a modern, lower-cost path to open-loop fare collection. 

The challenge

Chasing certifications manually cost tikpay time and deals

Operating at the intersection of fintech, transit, and government, tikpay competes for contracts where enterprise-grade security credentials are a hard prerequisite, making compliance infrastructure critical. 

What tikpay tried first: tikpay initially worked through an external audit partner for PCI DSS compliance, but Simon O'Connor, CTO, still found himself hunting for policy templates online, writing documentation from scratch, and absorbing weeks of work with little structured guidance from the auditor. 

tikpay's pivot point: The pressure sharpened when tikpay began pursuing government tenders and enterprise operator contracts. These prospects wouldn’t do business without ISO 27001, SOC 2 Type 2, and GDPR. However, every week Simon spent on manual compliance was a week not spent on product. He needed a way to pursue multiple frameworks in addition to PCI DSS without scaling headcount. 

Why tikpay chose Vanta: The tikpay team decided to work with Vanta after seeing how cross-framework control mapping would make PCI DSS work carry directly into ISO 27001 and SOC 2, making the remaining certifications structurally achievable at tikpay's size.

The Vanta impact

From manual scrambles to closing government contracts

tikpay went from chasing certifications manually to closing government contracts that competitors couldn't qualify for—without hiring anyone.

Here's how tikpay deployed Vanta:

Vanta tools and solutions ROI

Automated Compliance: tikpay used Vanta to manage PCI DSS, then leveraged cross-framework control mapping to streamline compliance for ISO 27001, SOC 2 Type 2, and GDPR.

The Vanta Agent acts as an active guide throughout—when Simon couldn't find where to complete a task, he'd paste a screenshot into the Agent chat and get directed to the right screen immediately. At audit time, his process is simple: jump into the framework, check the completion percentage, and work through what's outstanding. Vanta also catches infrastructure compliance issues in the background that would otherwise be missed.

  • 2 months to complete ISO 27001 and SOC 2 Type 2
  • Earned preferred supplier status with the Queensland government, and closed contracts with two of the region's largest bus operators
  • Auditors work independently in the Vanta platform, with little tikpay involvement
Trust Center: Allows tikpay to share certifications and EMV letters with prospects.
Access Reviews: Automated user access verification fully replaces a manual workflow using Google Workspace exports.

As tikpay scales into new geographies, Vanta provides the compliance infrastructure to move without rebuilding from scratch.

{{quote-2}}

"When you compare the hourly rate for someone to run around and collect evidence compared to Vanta, Vanta is a no-brainer."

Simon O'Connor
CTO, tikpay
Simon O'Connor
CTO, tikpay