PCI Compliance and Security Program Manager



Legal, Operations
Jacksonville, FL, USA · Salt Lake City, UT, USA
Posted on Thursday, October 19, 2023

Employee Applicant Privacy Notice

Who we are:

Shape a brighter financial future with us.

Together with our members, we’re changing the way people think about and interact with personal finance.

We’re a next-generation fintech company using innovative, mobile-first technology to help our millions of members reach their goals. The industry is going through an unprecedented transformation, and we’re at the forefront. We’re proud to come to work every day knowing that what we do has a direct impact on people’s lives, with our core values guiding us every step of the way. Join us to invest in yourself, your career, and the financial world.

The Governance, Risk, and Compliance (GRC) team handles a wide range of cross-functional activities, from security compliance certifications and audits, to risk management, inbound and outbound due diligence, third party risk management, security awareness, policy and procedures, PCI DSS and other standard compliance, and much more.

Each of these ongoing parallel activities entails interpreting and setting requirements, assessing the effectiveness of security controls, risk-based decision making, cross-functional collaboration and communication, and staying up-to-date on security best practices and how changes in the evolving threat landscape need to inform our strategy.

We are seeking an experienced Security Compliance Manager responsible for overseeing the organization's compliance with the Payment Card Industry Data Security Standard (PCI DSS). As an individual contributor, this role ensures that all required processes, procedures, and controls are implemented and maintained to protect cardholder data and ensure our ongoing compliance with PCI DSS requirements.

Key Responsibilities:

Program Management:

  • Develop and maintain the organization's PCI DSS compliance roadmap
  • Partner with stakeholders and cross-functional partners to identify, document, and communicate project/program scope, schedule, risks, and issues
  • Serve as the primary point of contact for PCI Qualified Security Assessors (QSAs), Approved Scanning Vendors (ASVs), and relevant external partners.
  • Be the subject matter expert for PCI DSS compliance across SoFi

PCI Security assessments:

  • Coordinate PCI DSS annual assessments, vulnerability scans, and penetration testing with various internal and external stakeholders
  • Perform ongoing compliance checks to ensure continuous compliance.
  • Facilitate code reviews, architecture reviews, API security reviews and third party reviews with engineering and security teams for PCI scoped environment
  • Lead PCI governance for cardholder data environment
  • Collect, prioritize, track, and drive issues to resolution/closure

Policy and Procedure Development:

  • Collaborate with relevant departments to maintain and update PCI DSS-compliant policies, controls and procedures
  • Regularly review and update the organization's policies and procedures to ensure ongoing compliance

Training and Awareness:

  • Conduct PCI DSS awareness and training sessions for staff
  • Ensure all relevant personnel are aware of PCI DSS requirements as they pertain to their roles

Risk Management:

  • Identify potential areas of compliance vulnerability and risk
  • Develop and implement corrective action plans for resolution of problematic issues
  • Provide guidance on risk mitigation techniques related to PCI DSS

Incident Response:

  • Assist with any potential cardholder data breaches or incidents, ensuring they are appropriately addressed, documented, and reported in accordance with PCI DSS requirements

Stakeholder Communication:

  • Provide regular updates to leadership on the status of PCI DSS compliance, including any potential risks or issues

Continuous Improvement:

  • Stay updated on changes to the PCI DSS and related industry best practices
  • Recommend improvements to enhance the security posture and efficiency of the organization's PCI program

Minimum qualifications

  • Minimum of 7 years of experience in PCI DSS compliance, preferably in a similar role.
  • Strong understanding of information security principles, best practices, and the PCI DSS.
  • Relevant certifications such as Qualified Security Assessor (QSA) Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), PCI Professional (PCIP), AWS Certified Solutions Architect - Associate or AWS Certified Security Specialty
  • Excellent organizational and technical program management skills.
  • Strong interpersonal and communication skills.
  • Experience assessing security in a cloud-hosted environment
  • Experience managing SOC2, PCI DSS, SOX ITGC, GLBA or other compliance standards and framework programs
  • Demonstrated ability to assimilate new knowledge quickly
  • Comfortable working in a fast-paced, dynamic environment, and managing multiple projects concurrently

Preferred qualifications

  • MS in a technical field or equivalent experience
  • Experience with network and firewall reviews, review of technical flows and architecture diagrams, data classification, SIEM logging tools, cloud security posture management, compliance scanning solutions, vulnerability scanners, data security posture management
Compensation and Benefits
The base pay range for this role is listed below. Final base pay offer will be determined based on individual factors such as the candidate’s experience, skills, and location.
To view all of our comprehensive and competitive benefits, visit our Benefits at SoFi page!
SoFi provides equal employment opportunities (EEO) to all employees and applicants for employment without regard to race, color, religion (including religious dress and grooming practices), sex (including pregnancy, childbirth and related medical conditions, breastfeeding, and conditions related to breastfeeding), gender, gender identity, gender expression, national origin, ancestry, age (40 or over), physical or medical disability, medical condition, marital status, registered domestic partner status, sexual orientation, genetic information, military and/or veteran status, or any other basis prohibited by applicable state or federal law.
Pursuant to the San Francisco Fair Chance Ordinance, we will consider for employment qualified applicants with arrest and conviction records.
New York applicants: Notice of Employee Rights
Due to insurance coverage issues, we are unable to accommodate remote work from Hawaii or Alaska at this time.
Internal Employees
If you are a current employee, do not apply here - please navigate to our Internal Job Board in Greenhouse to apply to our open roles.