Manager, Compliance Program & PCI Officer

University of Toronto•Toronto, ON

3d•CA$106,705 - CA$177,843•Onsite

About The Position

Under the general supervision of the Associate Director, GRC, the Compliance Program Manager & PCI Officer is responsible to the Chief Financial Officer and Chief Information Security & Digital Trust Officer for establishing, operationalizing, and sustaining the University of Toronto’s institutional Payment Card Industry Data Security Standard (PCI DSS) compliance program and the broader information security compliance posture of the University. Whilst the Associate Director, GRC retains primary supervisory responsibility, this role maintains a dotted line reporting to the Executive Director, Treasury & Investment Services in Financial Services to provide oversight and guidance on financial risk, payment systems and merchant control considerations. This role represents a substantive shift from project-based strategic execution to program ownership and operational compliance leadership. The Manager serves as the University’s designated PCI Officer and is accountable for translating a recently completed campus-wide inventory of PCI merchants and payment flows into a fully functioning, auditable PCI compliance program. This includes transforming existing governance structures to deliver policies, standards, processes, roles, training, reporting, and ongoing assurance activities tightly aligned with compliance requirements. Working closely with an active institutional project team, Financial Services, central ITS teams, divisional IT units, Procurement, Legal, Internal Audit, and merchant business owners across the University, the Manager builds the foundational elements of the PCI compliance framework and transitions it into a steady-state operational program. As a member of the Information Security management team and in the University Payment Card Steering Committee, the Manager provides subject matter expertise in regulatory and standards-based compliance (with a primary focus on PCI DSS), advises on risk-based prioritization, and supports the maturation of compliance monitoring, reporting, and assurance practices across the tri-campus. The role combines program design, stakeholder engagement, operational oversight, and continuous improvement in a complex, decentralized higher-education environment.

Requirements

University degree in Information Technology, Business, Risk Management, Finance, or a related discipline, or an equivalent combination of education and experience.
Demonstrated 7 years or more progressive experience in establishing or operating compliance and/or risk management programs in a complex organization.
Experience in understanding the regulatory requirements for Information security and Privacy.
Experience in coordinating cross-functional initiatives without direct authority.
Experience in building and managing standards-based control sets.
Strong understanding of compliance frameworks, risk management concepts, and control-based standards.
Exceptional attention to detail with a strong focus on accuracy and quality in all deliverables.
Ability to translate regulatory requirements into practical operational processes.
Excellent stakeholder engagement, facilitation, and communication skills.
Strong analytical, organizational, and documentation skills.
Ability to operate with ambiguity and build new programs from foundational work.
Ability to comfortably navigate a highly complex and matrix organization to achieve deliverables and launch programs.
Ability to work independently.
Proven ability to manage multiple initiatives and deadlines effectively.
Strong communication and interpersonal skills, to deliver effective understanding of requirements, fostering consensus, and cultivating relationships with stakeholders across the organization.
Strategic planner with the ability to translate standards into pragmatic controls and feasible tactical plans.

Nice To Haves

Either a PCIP (PCI Professional) or ISA (Internal Security Assessor) or equivalent is preferred.
Significant experience with PCI DSS compliance strongly preferred.
Experience in working in a decentralized or higher-education environment is an asset.

Responsibilities

Establishing, operationalizing, and sustaining the University of Toronto’s institutional Payment Card Industry Data Security Standard (PCI DSS) compliance program.
Establishing, operationalizing, and sustaining the broader information security compliance posture of the University.
Providing oversight and guidance on financial risk, payment systems and merchant control considerations.
Translating a recently completed campus-wide inventory of PCI merchants and payment flows into a fully functioning, auditable PCI compliance program.
Transforming existing governance structures to deliver policies, standards, processes, roles, training, reporting, and ongoing assurance activities tightly aligned with compliance requirements.
Building the foundational elements of the PCI compliance framework and transitioning it into a steady-state operational program.
Providing subject matter expertise in regulatory and standards-based compliance (with a primary focus on PCI DSS).
Advising on risk-based prioritization.
Supporting the maturation of compliance monitoring, reporting, and assurance practices across the tri-campus.
Combining program design, stakeholder engagement, operational oversight, and continuous improvement in a complex, decentralized higher-education environment.