Senior Technical Compliance Analyst

Summary

Join Toast's Technical Governance, Risk, and Compliance (Technical GRC) team as a Senior Analyst for Technical Compliance. You will oversee and support Toast's PCI Compliance Program, collaborating with various teams to ensure adherence to PCI standards. Responsibilities include auditing and assessing payment solutions, coordinating with external assessors, monitoring remediation implementation, and advising internal teams on PCI initiatives. The ideal candidate possesses 5-7+ years of experience in Security GRC or IT security with in-depth PCI knowledge, understands cloud computing architectures, and holds relevant certifications. This role reports to the Senior Director of Technical Compliance and offers a competitive compensation and benefits package.

Requirements

• Experience (5-7+ years) in Security GRC, IT security, or a related field, with in-depth working knowledge of PCI standards including PCI DSS, preferably inside fast growing companies
• Understanding of cloud computing architectures and security patterns, including assessing and implementing PCI controls in such environments
• High levels of curiosity, persistence, and a grounded approach to getting things done
• Familiarity with GRC (Governance, Risk, and Compliance) solutions, tools, platforms, and Enterprise Risk Management (ERM) processes
• Knowledge of industry security, audit, and privacy standards, frameworks, and regulations, such as PCI DSS (and other PCI standards), ISO27001, etc
• Relevant industry certifications such as CISSP (Certified Information Systems Security Professional), CISA (Certified Information Systems Auditor), CISM (Certified Information Security Manager) OR equivalent expertise. QSA / ISA certification / experience preferred

Responsibilities

• Direct and support the planning and execution of PCI assessments of Toast payment solutions and environments, which includes interpreting and assessing controls using compliance frameworks with a focus on payment card compliance and security (e.g. PCI DSS, PCI SSF, PTS, MPoC, PIN, P2PE)
• Coordinate with external assessors (QSA, QPA, other), process/control owners, and other key internal / external stakeholders to streamline the assessment process for gained efficiencies, including activities related to collecting and reviewing evidence and refining the relevant runbooks
• Support the monitoring of the implementation and validation of any recommended remediations from internal or external assessments
• Actively support ongoing PCI program health and maturity
• Document and maintain cardholder data environment scope narratives, controls and supporting evidence
• Monitor business activities by collaborating with cross-functional team leaders to ensure the organization maintains compliance with external certifications
• Evaluate current and evolving processes and technical controls to identify compliance gaps against one or more security frameworks, and produce actionable feedback for stakeholder review and remediation
• Advise and consult with internal teams on PCI-related initiatives and programs, development of a continuous monitoring program and provide general PCI-related support to technical teams
• Perform ongoing design and operating effectiveness reviews to identity changes impacting relevant products and infrastructure and work with teams on compliance readiness roadmaps
• Manage and respond to customer requests regarding PCI compliance
• Create and maintain documentation to support the PCI Management Program
• Develop and deliver training on PCI topics to relevant stakeholders
• Collaborate with other members of the GRC team on team-wide initiatives

Preferred Qualifications

• Experience working with GRC tools such as AuditBoard
• Experience working with Atlassian tools, including Jira, Confluence, and Atlas
• Working knowledge and familiarity with enterprise risk management, GDPR, EBA ICT, DORA, SOX, COBIT, SOC/SSAE18
• Experience working in fintech, payment facilitation / marketplace, merchant processing and/or fraud/risk

Benefits

Competitive compensation and benefits programs