About the Company:
Our client is looking for a Senior IT Security Engineer to lead the development and maintenance of our information security infrastructure, ensuring compliance with standards like PCI DSS. This role involves assessing both cloud and on-premise IT security protocols, spearheading security initiatives, and managing relationships with managed security service providers. The position focuses on risk management, vulnerability compliance, and internal controls to optimize our overall IT security strategy.
About the Role:
Key Responsibilities:
- Conduct internal security assessments and audits to ensure compliance with PCI DSS and other security standards.
- Collaborate with various departments to identify, assess, and mitigate security vulnerabilities, particularly in payment card processing environments.
- Develop and maintain a comprehensive PCI compliance program, including the creation of policies, procedures, and documentation.
- Oversee the security infrastructure to ensure it is robust and resilient against potential threats.
- Provide guidance on secure payment processing practices to business units and IT teams.
- Act as a liaison with external Qualified Security Assessors (QSAs) during PCI DSS assessments and facilitate remediation of any gaps identified.
- Train staff on PCI DSS requirements and best practices for protecting cardholder data.
- Monitor changes to PCI DSS standards and implement necessary updates across the organization.
- Manage and oversee the performance of the company's managed information security service provider.
- Prepare Reports on Compliance (ROCs) and Self-Assessment Questionnaires (SAQs) for PCI DSS reporting.
- Present process improvements for approval by senior IT management and ensure successful implementation.
- Ensure compliance with relevant laws, policies, and regulations for all company information systems.
- Generate and audit vulnerability reports, conduct quarterly network scans, and organize bi-annual penetration tests, ensuring timely remediation.
- Collaborate with the legal department to maintain IT security compliance and governance with external service providers and vendors.
- Assist in the development and maintenance of a comprehensive incident response plan for breaches involving cardholder data.
- Provide regular compliance status reports, security assessments, and remediation updates to senior management and stakeholders.
- Participate in various security and compliance projects as needed.
- Perform additional tasks as assigned.
Qualifications:
Required Qualifications:
- Bachelor’s degree in Information Technology, Information Security, Computer Science, or a related field, with 8+ years of experience in information security focusing on PCI DSS compliance, or 12+ years of experience in information security with a focus on PCI DSS compliance.
- 6+ years of experience with security tools and technologies for security and compliance monitoring.
- Strong understanding of information security principles, vulnerability scanning, remediation, reporting, data protection laws, and payment industry standards.
- Excellent analytical, problem-solving, and decision-making skills.
- Effective communication skills, with the ability to adapt messages for different audiences.
- Highly detail-oriented, with the ability to manage multiple projects simultaneously.
- Solid understanding of IT governance, risk management, and compliance software tools.
- Expertise in IT security principles, particularly related to cloud infrastructure (Azure, AWS, Google Cloud), networks, databases, application security, firewalls, multi-factor authentication (MFA), and identity/access management.
- Proficiency in technical domains including access and authentication, data security, secure software development, IT operations, boundary protection, vulnerability management, business continuity, and disaster recovery.
- Ability to work independently and as part of a team, demonstrating professionalism and a strong work ethic.
Preferred Qualifications:
- Professional certifications such as PCI ISA (Internal Security Assessor), PCIP (PCI Professional), CISSP, CISM, CISA, CIS, NIST, or HIPAA are highly desirable.