On this page

With the increasing demand for ecommerce and online trading, it is important for merchants and service providers to ensure their customers’ transactions and card holder data are processed securely.

The Payment Card Industry Data Security Standard (PCI DSS) sets minimum baseline standards but it can be hard to follow and report on. Bastion has one of the largest teams of New Zealand-based Qualified Security Assessors (QSAs) with extensive experience across all stages of the PCI DSS lifecycle and organisation sizes and across multiple industries and sectors. They can help your business secure payment card data and meet your PCI DSS requirements in a pragmatic and sustainable manner as consultants as well as assessors.

Gap Analysis and Pre-Audit

Bastion will assist you in pre-audit checks, to identify any areas that require additional effort prior to audit. Our team of experienced auditors can provide guidance to ensure the PCI requirements are met. In particular, Bastion can help you understand the differences in PCI DSS v4.0 if you are coming up to your first v.40 assessment.


Bastion will provide guidance in scoping of the environment to ensure the required components are assessed. This includes scope reduction where possible to remove unnecessary compliance costs.


Bastion will help with the completion of Self-Assessment Questionnaires (SAQs) for Merchants or Service Providers that may not require a full Level 1 audit.

Penetration Testing

Bastion has an experienced OSCP certified penetration test team, available to perform vulnerability assessments, penetration testing and segregation testing of the Cardholder Data Environment.

Level 1 Audits

Bastion will provide a full assessment and Report on Compliance (RoC) for your Cardholder Data Environment, whether it is a new system requiring an initial validation or re-assessment of existing systems.


Bastion can assist with remediation, implementation and ongoing consultancy support (e.g., implementing BAU compliance processes, in creating or updating internal policies or standards, as well as incident response procedures, to meet requirement 12 of the PCI DSS, understanding the scope and compliance impacts of business or system changes).

Contact us

Take the next step and talk to us today.