PCI DSS SAQ D Service Provider Lead

About The Position

Requirements

• 8+ years of cybersecurity, GRC, IT audit, compliance, security consulting, or related experience.
• Direct hands-on experience supporting PCI DSS assessments.
• Direct experience with PCI DSS SAQ D; Service Provider experience is strongly preferred.
• Experience with SaaS, cloud-hosted, fintech, payment, or payment-adjacent environments.
• Working knowledge of ASV scanning, internal vulnerability scanning, penetration testing evidence, vulnerability remediation, IAM/MFA, encryption, logging, monitoring, FIM, change control, and secure development requirements.
• Ability to translate PCI requirements into practical tasks for engineering, IT, security, and business stakeholders.
• Strong written communication skills and ability to produce audit-ready summaries and responses.
• Ability to work through ambiguity and distinguish sufficient evidence from weak or incomplete evidence.

Nice To Haves

• Prior QSA, ISA, or QSA-firm experience.
• PCI DSS v4.x experience.
• CISA, CISSP, CISM, Security+, or equivalent certification.
• Experience with Drata, Vanta, Secureframe, Hyperproof, Jira, Confluence, AWS, Azure, GCP, or similar platforms.
• SOC 2 familiarity, especially where controls overlap with PCI DSS.

Responsibilities

• Support PCI DSS SAQ D Service Provider readiness, scoping, evidence review, and control interpretation.
• Review PCI scope assumptions, in-scope systems, applications, integrations, service providers, and payment/data-flow considerations.
• Coordinate and review evidence for quarterly external ASV scans and internal vulnerability scans.
• Coordinate PCI-relevant penetration testing evidence, including scope, rules of engagement, final report review, remediation, and retest evidence.
• Review evidence for file integrity monitoring, encryption, MFA, IAM, logging, monitoring, change control, secure development, vulnerability management, and remediation tracking where relevant to PCI DSS.
• Identify weak, incomplete, stale, unclear, or nonresponsive evidence before submission.
• Draft or review PCI-related auditor, QSA, processor, or requesting-entity responses.
• Support tracking of PCI remediation items, exceptions, compensating-control discussions, and risk acceptance needs.
• Help define and maintain recurring PCI compliance cadence, including quarterly scans and annual validation activities.
• Provide concise written status updates, blockers, risks, and next actions to the project manager and CISO/vCISO.

Benefits

• Opportunity to work a hybrid work schedule
• A knowledgeable, high-achieving, diverse, experienced, and fun team.
• The chance to be part of a rapidly growing company and the next success story.
• A competitive base salary with a loaded benefits package plus 401K.
• Tuition/education assistance, personal computer allowance, pet insurance.