Senior Technical Compliance Analyst

Toast is driven by building the restaurant platform that helps restaurants adapt, take control, and get back to what they do best: building the businesses they love.

The Technical Governance, Risk and Compliance (Technical GRC) team enables the growth of Toast as we build secure products and enter new markets while meeting industry and regulatory requirements. Our team is a second-line function, providing oversight and leadership to first-line teams designed for high-velocity product innovation and development.

We are currently seeking a Senior Analyst for Technical Compliance who will be responsible for overseeing and supporting many aspects of Toast's PCI Compliance Program. In this role, you will collaborate with our Principal PCI Compliance Analyst and various teams throughout Toast, including Product, Infrastructure Engineering, IT Security, Developers, Legal, and Merchant Risk to ensure our products and processes are following PCI standards. 

The successful candidate will report directly to the Senior Director of Technical Compliance who is responsible for establishing and maintaining compliance programs across Toast globally.

About this roll* (Responsibilities) 

Audit / Assessment Management 

• Direct and support the planning and execution of PCI assessments of Toast payment solutions and environments, which includes interpreting and assessing controls using compliance frameworks with a focus on payment card compliance and security (e.g. PCI DSS, PCI SSF, PTS, MPoC, PIN, P2PE).
• Coordinate with external assessors (QSA, QPA, other), process/control owners, and other key internal / external stakeholders to streamline the assessment process for gained efficiencies, including activities related to collecting and reviewing evidence and refining the relevant runbooks. 
• Support the monitoring of the implementation and validation of any recommended remediations from internal or external assessments. 

Readiness and other compliance support activities may include:

• Actively support ongoing PCI program health and maturity.
• Document and maintain cardholder data environment scope narratives, controls and supporting evidence.
• Monitor business activities by collaborating with cross-functional team leaders to ensure the organization maintains compliance with external certifications.
• Evaluate current and evolving processes and technical controls to identify compliance gaps against  one or more security frameworks, and produce actionable feedback for stakeholder review and remediation.
• Advise and consult with internal teams on PCI-related initiatives and programs, development of a continuous monitoring program and provide general PCI-related support to technical teams.
• Perform ongoing design and operating effectiveness reviews to identity changes impacting relevant products and infrastructure and work with teams on compliance readiness roadmaps. 
• Manage and respond to customer requests regarding PCI compliance.
• Create and maintain documentation to support the PCI Management Program.
• Develop and deliver training on PCI topics to relevant stakeholders.
• Collaborate with other members of the GRC team on team-wide initiatives.

Do you have the right ingredients*? (Requirements)

• Experience (5-7+ years) in Security GRC, IT security, or a related field, with in-depth working knowledge of PCI standards including PCI DSS, preferably inside fast growing companies.
• Understanding of cloud computing architectures and security patterns, including assessing and implementing PCI controls in such environments. 
• High levels of curiosity, persistence, and a grounded approach to getting things done
• Familiarity with GRC (Governance, Risk, and Compliance) solutions, tools, platforms, and Enterprise Risk Management (ERM) processes
• Knowledge of industry security, audit, and privacy standards, frameworks, and regulations, such as PCI DSS (and other PCI standards), ISO27001, etc. 
• Relevant industry certifications such as CISSP (Certified Information Systems Security Professional), CISA (Certified Information Systems Auditor), CISM (Certified Information Security Manager) OR equivalent expertise. QSA / ISA certification / experience preferred.

Bonus ingredients:

• Experience working with GRC tools such as AuditBoard
• Experience working with Atlassian tools, including Jira, Confluence, and Atlas
• Working knowledge and familiarity with enterprise risk management, GDPR, EBA ICT, DORA, SOX, COBIT, SOC/SSAE18
• Experience working in fintech, payment facilitation / marketplace, merchant processing and/or fraud/risk

Our Spread* of Total Rewards
We strive to provide competitive compensation and benefits programs that help to attract, retain, and motivate the best and brightest people in our industry. Our total rewards package goes beyond great earnings potential and provides the means to a healthy lifestyle with the flexibility to meet Toasters’ changing needs. Learn more about our benefits at https://careers.toasttab.com/toast-benefits.

*Bread puns encouraged but not required