Information Security Engineer – Senior

Role Overview

• Serve as the sole compliance owner for 2–3 designated business unit scopes, maintaining comprehensive accountability for their PCI-DSS posture.
• Define, implement, and continuously improve compliance governance frameworks tailored to each assigned business unit's operating model and cardholder data environment (CDE).
• Establish and maintain scope boundary documentation, data flow diagrams, and network segmentation evidence for each assigned account.
• Conduct regular compliance health assessments across all assigned scopes and report status to executive stakeholders via dashboards and governance reports.
• Identify, document, and track control gaps, compensating controls, and risk acceptance decisions in alignment with PCI-DSS v4.0 requirements.
• Partner with business unit leaders to embed compliance requirements into project intake, change management, and product development lifecycles.
• Own the annual PCI-DSS recertification process for all assigned accounts, acting as the primary liaison with Qualified Security Assessors (QSAs) and internal stakeholders.
• Develop and manage detailed recertification project plans, timelines, and RACI matrices to ensure on-time, audit-ready submissions.
• Coordinate evidence collection from control owners across IT, operations, HR, and business units — validating completeness, accuracy, and audit readiness.
• Maintain a continuous evidence repository and artifact management system to eliminate last-minute scrambles during assessment windows.
• Review and respond to QSA Requests for Information (RFIs), findings, and preliminary observations on behalf of assigned business units.
• Drive remediation of any deficiencies identified during assessments, tracking closure through established issue management workflows.
• Complete and submit Attestations of Compliance (AOCs), Self-Assessment Questionnaires (SAQs), and Report on Compliance (ROC) documentation as applicable.
• Design and operate a structured audit management program covering all PCI-related internal and external audit activities for assigned scopes.
• Manage QSA and internal audit relationships, scheduling, logistics, and stakeholder communication throughout engagement lifecycles.
• Maintain and continuously improve the audit management toolset (GRC platforms, ticketing integrations, evidence portals) to support efficient, repeatable audit cycles.
• Develop standardized audit response playbooks, evidence templates, and interview preparation guides for control owners.
• Track all audit findings, management responses, and remediation milestones to closure — escalating aged or high-risk items to leadership.
• Conduct post-audit retrospectives and incorporate lessons learned into governance processes and evidence collection practices.
• Establish and oversee a control monitoring calendar aligned to PCI-DSS testing frequencies for each assigned scope.
• Define Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs) for each PCI control domain within assigned business units.
• Perform or coordinate quarterly vulnerability scan reviews, penetration test oversight, access reviews, and log review attestations.
• Monitor threat intelligence and PCI SSC updates, proactively assessing impact of new requirements or guidance on assigned scopes.
• Support third-party vendor assessments to verify that service providers used by assigned business units maintain their own PCI compliance.
• Act as the trusted compliance advisor for business unit leadership, providing clear, actionable guidance on PCI-DSS obligations and risk posture.
• Deliver regular compliance status briefings and steering committee presentations for assigned accounts.
• Provide PCI-DSS training and awareness sessions to control owners, IT staff, and business operations teams within assigned scopes.
• Advise on new business initiatives, technology adoptions, and process changes to ensure PCI requirements are addressed proactively.
• Collaborate with Legal, Privacy, and Risk teams to align PCI compliance activities with broader enterprise GRC strategy.

Requirements

• Bachelor’s degree in information security, Computer Science, Information Systems, or a related field; combined 5 plus years professional experience considered.
• 5+ years of hands-on experience in PCI-DSS compliance, information security, or IT audit roles.
• Minimum 2 years of direct experience managing PCI-DSS assessments (QSA engagement, ROC/SAQ preparation) as a primary owner.
• Demonstrated experience managing compliance obligations for multiple business units or organizational scopes simultaneously.
• 2 plus years working knowledge of PCI-DSS v4.0 requirements, SAQ types, and ROC/AOC processes.
• 2 plus years Strong understanding of network security concepts, segmentation controls, and cardholder data environment (CDE) scoping methodologies.
• Familiarity with vulnerability management processes, penetration testing oversight, and security monitoring in payment card environments.
• Experience with GRC platforms for audit and compliance management.
• Working knowledge of cloud environments (AWS, Azure, GCP) in PCI-scoped contexts.

Tech Stack

• AWS
• Azure
• Cloud
• Google Cloud Platform

Benefits

• Health and Welfare Benefits: Our health and welfare benefits can be tailored to fit you and your family's needs and start on the first day of employment.
• Retirement Savings: We will support you as you save for your future.
• Employee Discounts: We offer you access to a vast selection of global, national, and local discounts on merchandise, services, travel, and more.
• Career Growth Opportunities: We help you thrive, so together, we can grow. We provide opportunities to advance your career with a vast portfolio of businesses and a global footprint.
• Paid Training: Earn while you learn and continue to grow with access to award-winning learning platforms throughout your Conduent career.
• Paid time off: We provide attractive paid time off packages designed for you to enjoy your life away from work.
• Great Work Environment: We are proud of our award-winning culture and the recognition we’ve received for our diversity efforts.