PCI Compliance and Security Program Manager
Who we are:
Shape a brighter financial future with us.
Together with our members, we’re changing the way people think about and interact with personal finance.
We’re a next-generation fintech company using innovative, mobile-first technology to help our millions of members reach their goals. The industry is going through an unprecedented transformation, and we’re at the forefront. We’re proud to come to work every day knowing that what we do has a direct impact on people’s lives, with our core values guiding us every step of the way. Join us to invest in yourself, your career, and the financial world.
The Governance, Risk, and Compliance (GRC) team handles a wide range of cross-functional activities, from security compliance certifications and audits, to risk management, inbound and outbound due diligence, third party risk management, security awareness, policy and procedures, PCI DSS and other standard compliance, and much more.
Each of these ongoing parallel activities entails interpreting and setting requirements, assessing the effectiveness of security controls, risk-based decision making, cross-functional collaboration and communication, and staying up-to-date on security best practices and how changes in the evolving threat landscape need to inform our strategy.
We are seeking an experienced Security Compliance Manager responsible for overseeing the organization's compliance with the Payment Card Industry Data Security Standard (PCI DSS). As an individual contributor, this role ensures that all required processes, procedures, and controls are implemented and maintained to protect cardholder data and ensure our ongoing compliance with PCI DSS requirements.
- Develop and maintain the organization's PCI DSS compliance roadmap
- Partner with stakeholders and cross-functional partners to identify, document, and communicate project/program scope, schedule, risks, and issues
- Serve as the primary point of contact for PCI Qualified Security Assessors (QSAs), Approved Scanning Vendors (ASVs), and relevant external partners.
- Be the subject matter expert for PCI DSS compliance across SoFi
PCI Security assessments:
- Coordinate PCI DSS annual assessments, vulnerability scans, and penetration testing with various internal and external stakeholders
- Perform ongoing compliance checks to ensure continuous compliance.
- Facilitate code reviews, architecture reviews, API security reviews and third party reviews with engineering and security teams for PCI scoped environment
- Lead PCI governance for cardholder data environment
- Collect, prioritize, track, and drive issues to resolution/closure
Policy and Procedure Development:
- Collaborate with relevant departments to maintain and update PCI DSS-compliant policies, controls and procedures
- Regularly review and update the organization's policies and procedures to ensure ongoing compliance
Training and Awareness:
- Conduct PCI DSS awareness and training sessions for staff
- Ensure all relevant personnel are aware of PCI DSS requirements as they pertain to their roles
- Identify potential areas of compliance vulnerability and risk
- Develop and implement corrective action plans for resolution of problematic issues
- Provide guidance on risk mitigation techniques related to PCI DSS
- Assist with any potential cardholder data breaches or incidents, ensuring they are appropriately addressed, documented, and reported in accordance with PCI DSS requirements
- Provide regular updates to leadership on the status of PCI DSS compliance, including any potential risks or issues
- Stay updated on changes to the PCI DSS and related industry best practices
- Recommend improvements to enhance the security posture and efficiency of the organization's PCI program
- Minimum of 7 years of experience in PCI DSS compliance, preferably in a similar role.
- Strong understanding of information security principles, best practices, and the PCI DSS.
- Relevant certifications such as Qualified Security Assessor (QSA) Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), PCI Professional (PCIP), AWS Certified Solutions Architect - Associate or AWS Certified Security Specialty
- Excellent organizational and technical program management skills.
- Strong interpersonal and communication skills.
- Experience assessing security in a cloud-hosted environment
- Experience managing SOC2, PCI DSS, SOX ITGC, GLBA or other compliance standards and framework programs
- Demonstrated ability to assimilate new knowledge quickly
- Comfortable working in a fast-paced, dynamic environment, and managing multiple projects concurrently
- MS in a technical field or equivalent experience
- Experience with network and firewall reviews, review of technical flows and architecture diagrams, data classification, SIEM logging tools, cloud security posture management, compliance scanning solutions, vulnerability scanners, data security posture management