Senior Technical PCI Analyst (Hybrid - Seattle)

About The Position

Requirements

• 6–8 years of hands-on PCI DSS compliance experience, with at least 3 years owning or co-owning a PCI program at a merchant, payment processor, or service provider.
• A track record of building PCI programs from scratch: asset inventory processes, control testing schedules, evidence libraries, and operational procedures — not inheriting a fully-built program and maintaining it.
• Deep working knowledge of PCI DSS v4.0 across all 12 Requirements, including the technical requirements for network security, cryptography, access control, logging, and secure development.
• Real scoping experience in hybrid on-premises and cloud environments, including formal documentation of scoping rationale you’ve had to defend to a QSA.
• Hands-on control testing chops: you’ve reviewed firewall rules, validated patch compliance, run access reviews, and checked log configs yourself — not just reviewed evidence others collected.
• QSA coordination experience: you’ve been in the room (or on the call) managing document requests, running walkthroughs, and answering the hard questions.
• Technical Fluency: You can read a network diagram and spot a scoping problem — VLANs, DMZs, firewall rule sets, and cloud VPC/security group configs aren’t intimidating to you.
• Cloud familiarity in at least one major platform (AWS, Azure, GCP) as it applies to PCI scoping and control requirements.
• You can confidently participate in technical conversations as Nordstrom’s PCI SME.
• You know your tokenization and can explain how each affects CDE scope without reading from a slide.
• Comfortable with vulnerability management and patch compliance processes as required under PCI DSS Requirement 6.
• You can read technical docs — network diagrams, data flow diagrams, system configs, audit logs — and extract what you need to make a compliance call.
• The Soft Stuff That’s Actually Hard: You’re a player-coach: you’re doing hands-on work and helping others do theirs better — without needing a management title to have influence.
• You can translate PCI-speak into plain English for engineers, and technical risk into business language for leadership. Both directions, fluently.
• You’re comfortable pushing back when a proposed design creates PCI risk — and you come with alternatives, not just objections.
• You’re organized enough to juggle inventory, testing, remediation, and QSA prep simultaneously without dropping things or waiting to be told what to do next.
• You’ve used a GRC platform (ServiceNow, Archer, Drata, Vanta, or similar) to track findings and evidence — and you have opinions about how it should be configured.
• Education: Bachelor’s degree in Information Technology, Computer Science, Cybersecurity, or a related field, or equivalent experience doing the actual work.

Nice To Haves

• PCI ISA certification or active QSA qualification — this is a big one.
• Additional certifications: CISA, CISSP, CRISC, or cloud security certs (AWS Security Specialty, CCSK).
• Retail, e-commerce, or hospitality experience with complex, multi-channel cardholder data environments.
• Familiarity with other frameworks (SOX ITGC, HIPAA, CCPA) and experience contributing to a Common Control Framework.
• GRC platform implementation or configuration experience, including building control libraries and evidence workflows.
• PCI consulting or QSA firm background. You’ve seen a lot of programs — good and bad — and know what works.

Responsibilities

• Own the PCI Program (for real): Drive the full PCI DSS v4.0 compliance lifecycle: scoping, gap assessment, evidence collection, control testing, and annual QSA coordination. You’re not handing this off — you’re running it.
• Build and maintain the CDE asset inventory — network segmentation docs, data flow diagrams, system component registers — across on-premises and cloud. If it touches cardholder data, you know about it.
• Design and run the periodic control testing program: scheduling, evidence requests, test procedures, exception tracking, and remediation follow-up. Assessment season should feel like a victory lap, not a fire drill.
• Write the policies, procedures, RACIs, and runbooks that make the program sustainable — so it doesn’t fall apart when you take a vacation.
• Track findings, owners, and milestones in the GRC platform and surface the right KPIs and KRIs (open findings age, control test pass rates, inventory coverage) so leadership always knows where things stand.
• Be the Scoping Expert in the Room: Lead scoping conversations with engineering and infrastructure teams to define CDE boundaries in hybrid on-prem/cloud environments (AWS, Azure, GCP) — and back up your decisions with solid documentation.
• Review architecture changes, new products, and vendor integrations before they ship so PCI surprises happen in a design doc, not during QSA fieldwork.
• Spot de-scoping opportunities — whether it’s segmentation, tokenization, or P2PE — and partner with engineering to get them implemented.
• Dig into network diagrams, cloud configs, and data flow docs to validate scope and find the undocumented CHD flows before the QSA does.
• Translate PCI requirements into concrete specs for engineers: what Req 6 means for their CI/CD pipeline, what Req 8 means for their IAM setup, what Req 10 means for their logging architecture.
• Test Controls, Collect Evidence, Repeat: Actually test technical controls — firewall rule reviews, patch compliance, access reviews, log configurations, encryption assessments. You’re not just reviewing screenshots someone else took.
• Build a reusable testing library: documented test procedures for every in-scope Requirement, so each cycle gets more efficient, not more chaotic.
• Collect and validate evidence to QSA standards — complete, timestamped, traceable to specific sub-requirements. Future you will thank present you.
• Run the evidence request workflow with control owners so the week before QSA fieldwork isn’t a full-team emergency.
• Own the QSA Relationship: Be the primary day-to-day QSA contact: coordinate fieldwork, manage document requests, and run walkthroughs with technical teams so engineers aren’t getting cold-called by assessors.
• Defend scoping decisions, present compensating controls, and represent Nordstrom’s compliance posture with confidence — because you built the program and you know it inside out.
• Manage acquiring bank and payment brand relationships around compliance status, SAQ applicability, and AOC delivery.
• Level Up the Team: Be the PCI go-to for the compliance team: answer the hard questions, review work products, and help other analysts build their PCI knowledge over time.
• Embed with engineering, DevOps, and product teams as a trusted advisor — show up to design reviews, join sprint ceremonies when it matters, be the person who makes PCI feel less scary.
• Educate stakeholders on PCI obligations and v4.0 changes in language that actually lands, whether you’re talking to a network engineer or a VP.
• Partner with the broader GRC team to spot control overlaps with SOX, HIPAA, and other frameworks and contribute to a Common Control Framework.

Benefits

• Medical/Vision
• Dental
• Retirement
• Paid Time Away
• Life Insurance
• Disability
• Merchandise Discount
• EAP Resources
• 401k
• PTO accruals
• Holidays