PCI Compliance Specialist

About The Position

Requirements

• Bachelor’s degree in information security, Business Administration, Information Systems, or a related field; equivalent professional experience considered.
• 2+ years of experience in compliance, audit support, IT governance, or information security operations role.
• Demonstrated experience managing evidence collection or documentation programs in a regulated environment (PCI-DSS, SOC 2, ISO 27001, HIPAA, or equivalent).
• Prior experience working in or supporting a compliance team with recurring audit cycles is strongly preferred.
• Working knowledge of PCI-DSS requirements, control testing concepts, and the annual recertification lifecycle (SAQ/ROC/AOC process familiarity required).
• Understanding of cardholder data environment (CDE) scoping concepts, including data flows, network segmentation, and system component classification.
• Familiarity with vulnerability management workflows, access review processes, and log review attestation procedures.
• Experience using GRC platforms, ticketing systems (e.g., ServiceNow, Jira), and document management tools for compliance tracking.
• Proficiency in Microsoft Excel, Word, and SharePoint for evidence management, status tracking, and reporting.
• Exceptional organizational discipline with the ability to manage multiple concurrent evidence streams, deadlines, and tracking logs across 2-3 scopes without loss of accuracy.
• Meticulous documentation habits - takes ownership of record accuracy, version control, and artifact completeness as a professional standard.
• Strong written communication skills; able to draft clear, concise evidence requests, status updates, and compliance summaries for both technical and non-technical audiences.
• Collaborative working style; able to build effective relationships with control owners, IT teams, and business unit staff to facilitate timely evidence submission.
• Proactive follow-through - tracks open items to closure independently and escalate appropriately before deadlines are missed.
• Comfort operating in structured, process-driven environments with clearly defined responsibilities and recurring compliance cycles.

Nice To Haves

• CompTIA Security+, PCIP, CISA, CRISC
• Experience supporting PCI-DSS assessments as a control owner coordinator, audit liaison, or compliance analyst in a BPO, financial services, or retail payments environment.
• Familiarity with GRC/evidence management platforms used in PCI audit cycles.
• Experience working across multiple business units or legal entities simultaneously, managing parallel compliance workstreams.
• Knowledge of related frameworks (ISO 27001, SOC 2, NIST CSF) and the ability to cross-reference PCI-DSS controls against complementary standards.
• Experience building or maintaining compliance dashboards and KPI trackers in Excel, Power BI, or SharePoint.

Responsibilities

• Serve as the primary evidence coordinator for all PCI-DSS control domains across 2-3 assigned business unit scopes, managing artifact collection from IT, operations, HR, and business unit control owners.
• Maintain a continuous, audit-ready evidence repository for each assigned scope - organizing artifacts by control requirement, testing frequency, and assessment cycle.
• Develop and distribute standardized evidence request packages to control owners, providing clear instructions on format, retention period, and submission deadlines.
• Validate evidence submissions for completeness, accuracy, and alignment to the specific PCI-DSS v4.0 requirement being satisfied before logging in the repository.
• Track evidence gaps, follow up on outstanding submissions, and escalate persistent collection failures to the ISA for stakeholder intervention.
• Maintain version control and change logs for all compliance artifacts to support QSA review and year-over-year comparison.
• Execute the control monitoring calendar for each assigned scope, performing or coordinating scheduled PCI-DSS control tests at daily, weekly, monthly, quarterly, and annual frequencies as defined by the ISA.
• Document control test results with supporting evidence, noting pass/fail status, observations, and any exceptions identified during testing.
• Track and log control exceptions, working with the ISA to initiate issue tickets and assign remediation owners through established workflows.
• Coordinate and document quarterly User Access Reviews (UARs) for cardholder data environment (CDE) systems, collecting attestations from system owners and flagging any orphaned or excess access for remediation.
• Support Monthly vulnerability scan cycles by coordinating scan scheduling with IT teams, collecting results, and ensuring risk ratings and remediation tickets are opened within required timeframes.
• Maintain the control monitoring log and provide a monthly status summary to the ISA for KPI reporting and dashboard updates.
• Support the ISA in executing the annual PCI-DSS recertification process for all assigned scopes - managing logistics, scheduling, evidence packaging, and communication with internal stakeholders throughout the assessment window.
• Prepare and maintain structured evidence binders and audit response packages for each control domain, ensuring all artifacts are labeled, indexed, and traceable to specific PCI-DSS v4.0 requirements.
• Track all QSA Requests for Information (RFIs) in the team's audit management system, coordinating timely responses from control owners and flagging items at risk of missing SLA to the ISA.
• Maintain a master findings tracker for all assigned scopes, logging audit findings, management responses, remediation owners, target dates, and closure evidence across internal and external audit cycles.
• Support the ISA in preparing Attestations of Compliance (AOCs), Self-Assessment Questionnaires (SAQs), and Report on Compliance (ROC) documentation by compiling required data and validating input accuracy.
• Assist with post-audit retrospectives by compiling evidence submission timelines, RFI logs, and findings summaries for lessons-learned analysis.
• Maintain and update CDE boundary diagrams, data flow diagrams, and network segmentation documentation for each assigned scope, initiating updates within 30 days of any environment change.
• Maintain the risk acceptance register for assigned scopes, tracking open risk acceptances, expiry dates, residual risk ratings, and required annual reviews.
• Track compensating controls for assigned scopes, ensuring each has documented rationale, compensating measures, and a current review date on file.
• Monitor policy and procedure currency for assigned scopes, flagging documents approaching their review date and coordinating with the ISA and policy owners to initiate updates.
• Maintain the third-party service provider compliance tracking log for assigned scopes, following up annually on AOC renewals and flagging expired certifications to the ISA.
• Coordinate annual PCI-DSS awareness training delivery for control owners, IT staff, and business operations personnel within assigned scopes - tracking enrollment, completion rates, and issuing completion certificates.
• Develop and maintain training attendance records and completion reports for all assigned scopes to support audit evidence requirements.
• Assist the ISA in preparing control owner briefing materials, interview guides, and evidence submission instructions ahead of assessment windows.
• Support onboarding of new control owners within assigned business units, walking them through evidence expectations, submission formats, and the compliance calendar.

Benefits

• Health and Welfare Benefits
• Retirement Savings
• Employee Discounts
• Career Growth Opportunities
• Paid Training
• Paid time off
• Great Work Environment
• health insurance coverage
• voluntary dental and vision programs
• life and disability insurance
• a retirement savings plan
• paid holidays
• paid time off (PTO) or vacation and/or sick time