The Manager of IT Risk oversees the technical aspects of the PCI (Payment Card Industry) compliance program focusing on maintaining security controls and processes and supporting evaluations of new credit card processing systems and/or methods. Supportsinternal compliance efforts, identifies and assesses risks and works withinternal technology owners to appropriately document, test and report PCI compliance status.
· Recommends, implements and adheres to approved operating goals, objectives and budget. Reports operational performance, justification and/or corrective action.
· Ensures operating compliance with government and agency regulations.
· Selects, develops, manages and evaluates direct reports; and oversees the selection, development, management and evaluation of indirect reports.
· Supportsinternal PCI technical compliance evaluations to ensure appropriate implementation of controls and alignment with the PCI-DSS standards. Identifies potential gaps, develops corrective action plans and oversees remediation activities.
· Develops and maintains PCI related network and data flow documentation. Advises process and technology owners on documentation and testing requirements.
· Oversees execution of security control test procedures across network devices, applications, databases and operating systems in scope for PCI compliance.
· Partners with all levels of IT and business management to ensure PCI compliance testing is conducted in a cooperative, timely and efficient manner with cost effective recommendations being provided to management when compliance gaps are identified.
· Supports review of PCI Self-Assessment Questionnaires (SAQ) and other related regulatory documentation required for the annual attestation, as applicable. Identifies, gathers and retains supporting evidence.
· Partners with third party Qualified Security Assessors (QSA) to validate the company’s compliance with the PCI-DSS standard. Monitors corrective actions and process improvement plans.
· Supports quarterly attestation of compliance (AoC) submissions, ongoing vulnerability scans and periodic penetration tests. Documents findings, develops remediation plans and tracks status.
· Prepares status reports and executive summaries on the PCI Compliance Program.
· Conducts end to end PCI compliance system reviews for new and proposed cardholder applications and services.
· Continually evaluates and identifies relevant changes to PCI requirements and assesses the impact of these changes on the company’s PCI Compliance program.
· Bachelor’s Degree
· Minimum of five (5) years progressively responsibleriskexperience, including management experience
· Minimum of seven (7) years related PCI experience with emphasis on assessment
· CISSP, CISA or equivalent
· Current or former QSA or ISA
· Technology Disciple bachelor’s degree
· Current knowledge of compliance trends, issues and regulations