PCI Compliance Analyst

Purpose of Role

Leads all aspects of gathering and confirming evidence for PCI-DSS, SOC 2, and SOX audits to help achieve compliance with payment card industry standards and financial regulations as they pertain to the IT environment from initial discussions with the client through delivery of the final report. Ensures that appropriate IT policies and controls are in place and followed in accordance with corporate standards and processes. Serves in a consultative role evaluating our business challenges and applying recommend solutions through knowledge of the PCI-DSS standards and ITGC controls.

Specific Job Description

• Leads collaboration efforts with stakeholders to define, execute, and track pre-audit preparation tasks to meet year-round compliance goals
• Ensure timely completion of regulatory documentation, including compliance related to PCI-DSS
• Ensures the audit scope is defined and substantiated by appropriate evidence
• Analyzes prior year’s audit for lesson’s learned value
• Ensures compliance objectives are clearly communicated to stakeholders
• Provides tracking of, scheduling, and execution of SOX, SOC 2, and PCI DSS assessments
• Ensure adherence with IT policies, procedures, and processes in accordance with business and regulatory requirements, as well as updating existing and/or creating new documents as needed
• Collates and review documentation or evidence for appropriateness prior to an assessment
• Perform business and technical analysis to identify and document appropriate compliance controls
• Research project to define and document appropriate controls
• Log artifacts requested during interview sessions
• Maintain metrics showing status of assessments and audits.
• Derive new metrics to identify leading indicators of potential audit issues
• Gathers evidence from stakeholders, coordinating reviews, and uploading to assessors’ portals
• Analyze artifacts received to ensure they meet the intent of the assessment and demonstrate compliance
• Populate report templates with current status information and keep manager and team members informed of potential delays or issues with updates
• Support management programs to mature compliance posture
• Engage affiliate points of contact to promote corporate compliance best practices
• Implement continuous improvement around IT compliance and security best practices
• Interface with internal and external PCI, SOC2, and SOX auditors to represent how compliance and security controls are applied and can be demonstrated in existing or planned processes
• Conduct compliance awareness programs for groups dealing with but not limited to PAN, PII, developers, and administrators
• Must have technical understanding of network, systems, and other IT security protocols; i.e. segmentation, pen tests, vulnerability tests, etc.
• Self-disciplined and able to work on individual tasks, sometimes without clear requirements, and to work well in a team environment.
• Work with multiple groups/teams within our organization, as well as external vendors.

Span of Control

• Has no direct or indirect reports.
• Work under some general direction.
• Independently determines and develops approach to solutions.
• Participates in determining objectives of assignments.
• Plan schedules and work activities in accomplishing objectives.
• Work is reviewed upon completion for adequacy in meeting objectives.
• Validate and provide gathered evidence to auditors.

Typical Minimum Education & Experience; Knowledge/Skills/Abilities Required

• Expert understanding of PCI-DSS and underlying intent of requirements.
• Experience in recommending and evaluating compensating controls.
• 3 years of experience in the Payment Card Industry.
• 3 years documented experience in these areas: Change Management; Network Security; Application Security; Systems Integration and Security; Auditing Information Systems and Processes; Information Security; Segmentation, Pen, and Vulnerability testing; Risk Assessments; Risk Management; IT Policies and Processes
• Bachelor’s degree relevant to this field; or equivalent combination of knowledge and work experience; minimum 3 years related experience.
• QSA certification preferred
• Pen Testing certification preferred
• Prior consulting background preferred
• Excellent leadership, problem solving and time management skills.
• Excellent written and verbal communication skills
• Must interact professionally with a diverse group of executives, managers, and subject matter experts
• Ability to multi-task, elicit cooperation and communicate to all levels of management and all departments within the organization.
• Exercises good judgment and understanding of dependencies across multiple IT groups
• Must be a motivated, forward thinking individual who is able to work with minimal supervision.
• Highly proficient in MS-Office suite
• Bi-lingual a plus, but not required