Product Team Spotlight: Natasja Bolton

‍Client Engagement Manager | PCI Qualified Security Assessor | Adventure Traveler

Natasja is the kind of payment security expert you want on speed dial when PCI DSS feels like alphabet soup. With 25+ years in IT and information security, she's helped everyone from major payment providers to scrappy start-ups navigate compliance without losing their sanity.

At VikingCloud, she's the go-to guru for payment security—guiding clients through PCI standards, shaping our compliance portal, and feeding insights into product development.  If it involves payment security, chances are she’s had a hand in making it smarter, smoother, and more human.

Her career began on IT helpdesks, then evolved into information security consultancy across telecoms and security start-ups. Along the way, she’s always kept one eye on the tech and the other on the people, blending sharp technical know-how with straight-talking, client-friendly guidance. Before VikingCloud, she spent over a decade at what became Secureworks, leading secure infrastructure projects and building her reputation as a PCI DSS powerhouse with major payment providers and card brands.

Credentials That Count

Certifications: ISO27001 Lead Auditor | CISSP (since 2006) | PCI QSA (since 2010) | Microsoft Certified Systems Engineer | CheckPoint Certified Security Engineer

Recognition: Finalist in DTS Women in Tech Awards and Security Excellence Awards | Featured in PCI SSC's award-winning 'Paving the Way: Inspiring Women in Payments' series

Making Payment Security Make Sense

When it comes to payment security, Natasja isn’t just in the room—she’s usually on stage. You'll find Natasja sharing wisdom at PCI Community Meetings, on panels like the Women in Payments EMEA Symposium, or championing small-merchant realities on the PCI Security Standards Council's Small Merchant Taskforce.

She turns dense standards (PCI DSS, PSD2 Strong Customer Authentication) into something that actually makes sense—through blogs, whitepapers, client guides, and webinars. Her message: payment security doesn't have to be painful, and small businesses deserve practical, powerful solutions.

From National Parks to Cybersecurity

Natasja is based in the Scottish Borders—just half a mile from a castle that once had its close-up on the BBC’s Antiques Roadshow.  Natasja's career path wasn't exactly straight. Armed with an Environmental Science degree—sparked by a three-month coast-to-coast camping odyssey through nearly every U.S. National Park—she seemed destined for a life outdoors. Instead, she swapped hiking boots for hard drives, channeling that same spirit of exploration into the ever-shifting landscape of cybersecurity.

Q&A with Natasja Bolton

Q: What is the biggest challenge organizations are experiencing when you first speak to them? Any examples?

The short answer? PCI DSS confusion—lots of it. Most organizations I meet aren’t struggling because they don’t care about security; it’s because they don’t know what the standard actually means for them. PCI DSS v4.0 only raised the stakes, landing right as payments technology and solutions are evolving at warp speed.

For small businesses, the challenge is classic: not enough time, not enough resources, and far too much jargon. They know PCI DSS exists but aren’t sure how it translates into their day-to-day.

But here’s the twist lately: the toughest conversations aren’t always with merchants anymore. Increasingly, it’s our clients’ partners—Independent Software Vendors, SaaS providers, and businesses embedding card payments into their solutions—who are waking up to the fact that, yes, they’re in scope too. That realization can feel like a bucket of cold water, but that’s where I come in: helping them to understand why they have a role to play in payment security, and to see the path forward without drowning in the acronyms.

Q: If you could give one piece of advice to organizations, what would it be?

Keep cardholder data as far away from your business as possible. The old saying was, “If you don’t need it, don’t store it.” These days, it goes further: don’t even touch it if you don’t have to. With today’s range of secure payment technologies, PCI DSS–compliant payment solutions and third party service providers, there’s almost always a way to reduce your exposure to payment card account data.

Why? Because the less exposure you have, the lighter your compliance load—and the more time, money, and brainpower you can put toward growing your business instead of wrestling with PCI DSS requirements and assessments. Think of it this way: by relying on secure, compliant solutions, services, and third parties, you can focus your energy (and budget) on real security threats and your actual business goals. Everybody wins—especially your customers.

Why Natasja Matters

In a world where PCI standards feel like a labyrinth, Natasja is the guide with the map and the flashlight. She translates compliance obligations into practical steps people understand—without drowning them in acronyms.

What sets her apart? It's not just 25+ years of expertise—it's how she delivers it: clear, tailored, and people-first. She doesn't just help organizations "get compliant"—she helps them succeed. And that's why Natasja matters.

🔗 Connect with Natasja on LinkedIn