Own the PCI-DSS program end to end as a service provider: scoping, gap assessment, remediation, certification, and annual maintenance
Define and minimize the cardholder data environment; drive segmentation and scope reduction with engineering and infrastructure
Manage the QSA relationship: scoping workshops, evidence packages, assessment, and findings
Keep the certification live between audits: quarterly requirements, ongoing evidence, control monitoring
Turn PCI and other framework requirements into concrete technical and organizational solutions, working directly with engineering and infrastructure teams
Distinguish between a control that exists on paper and one that actually works, and insist on the latter
Design the processes and evidence flows that keep controls satisfied without constant manual effort
Lead internal and external audits: scope, evidence, finding responses, closure
Build and maintain an evidence base that supports continuous readiness across PCI, ISO 27001, and BSP
Coordinate the ISO 27001 surveillance cycle
Bring structure and ownership to the wider compliance and risk program
Maintain the risk register as a working document and drive treatment with system owners
Run vendor security assessments and track third-party compliance obligations
Report compliance posture clearly to leadership and governance committees

6+ years in security GRC, compliance, or audit, with real ownership of a compliance program
Has led a PCI-DSS certification end to end, ideally as a service provider, and maintained the status across cycles
Has managed a QSA relationship and run a real audit, not just supported one
Has led cardholder data environment scoping and segmentation decisions with technical teams
Comfortable across at least PCI-DSS and one of ISO 27001 or a banking framework (BSP MORB or equivalent)
Worked in a regulated environment where compliance was enforced, not aspirational

GRC Manager, PCI-DSS Focus

Key skills