The  Governance, Risk, and Compliance (GRC) team handles a wide range of cross-functional activities, from security compliance certifications and audits, to risk management, inbound and outbound due diligence, third party risk management, security awareness, policy and procedures, PCI DSS and other standard compliance, and much more. 

Each of these ongoing parallel activities entails interpreting and setting requirements, assessing the effectiveness of security controls, risk-based decision making, cross-functional collaboration and communication, and staying up-to-date on security best practices and how changes in the evolving threat landscape need to inform our strategy.

We are seeking an experienced Security Compliance Manager responsible for overseeing the organization’s compliance with the Payment Card Industry Data Security Standard (PCI DSS). As an individual contributor, this role ensures that all required processes, procedures, and controls are implemented and maintained to protect cardholder data and ensure our ongoing compliance with PCI DSS requirements.

Key Responsibilities:

Program Management:

• Develop and maintain the organization’s PCI DSS compliance roadmap
• Partner with stakeholders and cross-functional partners to identify, document, and communicate project/program scope, schedule, risks, and issues
• Serve as the primary point of contact for PCI Qualified Security Assessors (QSAs), Approved Scanning Vendors (ASVs), and relevant external partners.
• Be the subject matter expert for PCI DSS compliance across SoFi

PCI Security assessments:

• Coordinate PCI DSS annual assessments, vulnerability scans, and penetration testing with various internal and external stakeholders
• Perform ongoing compliance checks to ensure continuous compliance. 
• Facilitate code reviews, architecture reviews, API security reviews and third party reviews with engineering and security teams for PCI scoped environment
• Lead PCI governance for cardholder data environment
• Collect, prioritize, track, and drive issues to resolution/closure

Policy and Procedure Development:

• Collaborate with relevant departments to maintain and update PCI DSS-compliant policies, controls and procedures
• Regularly review and update the organization’s policies and procedures to ensure ongoing compliance

Training and Awareness:

• Conduct PCI DSS awareness and training sessions for staff
• Ensure all relevant personnel are aware of PCI DSS requirements as they pertain to their roles

Risk Management:

• Identify potential areas of compliance vulnerability and risk
• Develop and implement corrective action plans for resolution of problematic issues
• Provide guidance on risk mitigation techniques related to PCI DSS

Incident Response:

• Assist with any potential cardholder data breaches or incidents, ensuring they are appropriately addressed, documented, and reported in accordance with PCI DSS requirements

Stakeholder Communication:

• Provide regular updates to leadership on the status of PCI DSS compliance, including any potential risks or issues

Continuous Improvement:

• Stay updated on changes to the PCI DSS and related industry best practices
• Recommend improvements to enhance the security posture and efficiency of the organization’s PCI program

Minimum qualifications

• Minimum of 7 years of experience in PCI DSS compliance, preferably in a similar role.
• Strong understanding of information security principles, best practices, and the PCI DSS.
• Relevant certifications such as Qualified Security Assessor (QSA) Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), PCI Professional (PCIP), AWS Certified Solutions Architect - Associate or AWS Certified Security Specialty
• Excellent organizational and technical program management skills.
• Strong interpersonal and communication skills.

• Experience assessing security in a cloud-hosted environment
• Experience managing SOC2, PCI DSS, SOX ITGC, GLBA or other compliance standards and framework programs
• Demonstrated ability to assimilate new knowledge quickly
• Comfortable working in a fast-paced, dynamic environment, and managing multiple projects concurrently

Preferred qualifications

• MS in a technical field or equivalent experience
• Experience with network and firewall reviews, review of technical flows and architecture diagrams, data classification, SIEM logging tools, cloud security posture management, compliance scanning solutions, vulnerability scanners, data security posture management