Sector
Built for regulated financial technology environments.
Bergson works best where cloud infrastructure, payment systems, ICT risk, audit evidence and software delivery overlap. The focus is practical control: who owns the risk, how the system is operated, where the evidence lives, and what needs to change.
What we cover
Scope of work
Payment & EMI platforms
- Cloud-native payment architecture review
- PCI DSS scoping and evidence support
- Tokenisation and CDE minimisation
- Acquirer and brand-facing assurance
ICT risk & resilience
- DORA-aligned risk framework
- Operational resilience testing
- Major incident classification and reporting
- BCDR for regulated workloads
Cloud governance
- Identity, secrets and key management
- Logging and audit coverage
- Network segmentation
- Configuration and drift control
Third-party oversight
- ICT third-party register
- Concentration and exit strategy
- Contractual control alignment
- Critical supplier monitoring
Audit & assurance
- ISO 27001 readiness
- PCI DSS evidence
- Customer due diligence responses
- Regulator-facing narratives
Board & management reporting
- Plain-language ICT risk reporting
- Resilience and incident metrics
- Programme and remediation tracking
- Independent challenge
What good looks like
What you should expect to walk away with.
- Architecture and regulatory obligations traced to each other
- Evidence packs that hold across PCI, ISO and DORA
- A reporting cadence boards and regulators can rely on
- A pragmatic plan for resilience and third-party oversight
Next step
Operating a payments or EMI platform?
Bergson does not replace accountable management, auditors, QSAs or legal advisers. We help technology teams create the operating evidence and governance those stakeholders need. Tell us the audit, regulator query or release that is driving this.