Nordstrom is looking for a technically deep PCI SME who thrives at the intersection of hands-on payment security work and program building. You’ll own our PCI DSS v4.0 compliance program end-to-end — from scoping and evidence collection through control testing and QSA coordination — while simultaneously building the operational backbone (processes, tooling, documentation) that keeps the program humming year-round, not just during assessment season.

You’re the person who knows what’s in scope. When an engineer asks “does this new microservice touch the CDE?” or a product manager wants to know if their new payment flow creates PCI exposure, you’re the one they come to — and you give them a real answer, not a “it depends, let me escalate.”

You’ll also be a go-to resource and mentor for the other compliance analysts on the team. You won’t manage anyone’s performance reviews, but your PCI expertise will help level everyone up — answering questions, reviewing their work, and making sure the team speaks PCI fluently.

If you get a little too excited about data flow diagrams, have strong opinions about network segmentation, and have ever caught a scoping error that saved your company a world of pain — keep reading.

• Drive the full PCI DSS v4.0 compliance lifecycle: scoping, gap assessment, evidence collection, control testing, and annual QSA coordination. You’re not handing this off — you’re running it.
• Build and maintain the CDE asset inventory — network segmentation docs, data flow diagrams, system component registers — across on-premises and cloud. If it touches cardholder data, you know about it.
• Design and run the periodic control testing program: scheduling, evidence requests, test procedures, exception tracking, and remediation follow-up. Assessment season should feel like a victory lap, not a fire drill.
• Write the policies, procedures, RACIs, and runbooks that make the program sustainable — so it doesn’t fall apart when you take a vacation.
• Track findings, owners, and milestones in the GRC platform and surface the right KPIs and KRIs (open findings age, control test pass rates, inventory coverage) so leadership always knows where things stand.

• Lead scoping conversations with engineering and infrastructure teams to define CDE boundaries in hybrid on-prem/cloud environments (AWS, Azure, GCP) — and back up your decisions with solid documentation.
• Review architecture changes, new products, and vendor integrations before they ship so PCI surprises happen in a design doc, not during QSA fieldwork.
• Spot de-scoping opportunities — whether it’s segmentation, tokenization, or P2PE — and partner with engineering to get them implemented.
• Dig into network diagrams, cloud configs, and data flow docs to validate scope and find the undocumented CHD flows before the QSA does.
• Translate PCI requirements into concrete specs for engineers: what Req 6 means for their CI/CD pipeline, what Req 8 means for their IAM setup, what Req 10 means for their logging architecture.

• Actually test technical controls — firewall rule reviews, patch compliance, access reviews, log configurations, encryption assessments. You’re not just reviewing screenshots someone else took.
• Build a reusable testing library: documented test procedures for every in-scope Requirement, so each cycle gets more efficient, not more chaotic.
• Collect and validate evidence to QSA standards — complete, timestamped, traceable to specific sub-requirements. Future you will thank present you.
• Run the evidence request workflow with control owners so the week before QSA fieldwork isn’t a full-team emergency.

• Be the primary day-to-day QSA contact: coordinate fieldwork, manage document requests, and run walkthroughs with technical teams so engineers aren’t getting cold-called by assessors.
• Defend scoping decisions, present compensating controls, and represent Nordstrom’s compliance posture with confidence — because you built the program and you know it inside out.
• Manage acquiring bank and payment brand relationships around compliance status, SAQ applicability, and AOC delivery.

• Be the PCI go-to for the compliance team: answer the hard questions, review work products, and help other analysts build their PCI knowledge over time.
• Embed with engineering, DevOps, and product teams as a trusted advisor — show up to design reviews, join sprint ceremonies when it matters, be the person who makes PCI feel less scary.
• Educate stakeholders on PCI obligations and v4.0 changes in language that actually lands, whether you’re talking to a network engineer or a VP.
• Partner with the broader GRC team to spot control overlaps with SOX, HIPAA, and other frameworks and contribute to a Common Control Framework.

• 6–8 years of hands-on PCI DSS compliance experience, with at least 3 years owning or co-owning a PCI program at a merchant, payment processor, or service provider.
• A track record of building PCI programs from scratch: asset inventory processes, control testing schedules, evidence libraries, and operational procedures — not inheriting a fully-built program and maintaining it.
• Deep working knowledge of PCI DSS v4.0 across all 12 Requirements, including the technical requirements for network security, cryptography, access control, logging, and secure development.
• Real scoping experience in hybrid on-premises and cloud environments, including formal documentation of scoping rationale you’ve had to defend to a QSA.
• Hands-on control testing chops: you’ve reviewed firewall rules, validated patch compliance, run access reviews, and checked log configs yourself — not just reviewed evidence others collected.
• QSA coordination experience: you’ve been in the room (or on the call) managing document requests, running walkthroughs, and answering the hard questions.

• You can read a network diagram and spot a scoping problem — VLANs, DMZs, firewall rule sets, and cloud VPC/security group configs aren’t intimidating to you.
• Cloud familiarity in at least one major platform (AWS, Azure, GCP) as it applies to PCI scoping and control requirements.
• You can confidently participate in technical conversations as Nordstrom’s PCI SME.
• You know your tokenization and can explain how each affects CDE scope without reading from a slide.
• Comfortable with vulnerability management and patch compliance processes as required under PCI DSS Requirement 6.
• You can read technical docs — network diagrams, data flow diagrams, system configs, audit logs — and extract what you need to make a compliance call.

• You’re a player-coach: you’re doing hands-on work and helping others do theirs better — without needing a management title to have influence.
• You can translate PCI-speak into plain English for engineers, and technical risk into business language for leadership. Both directions, fluently.
• You’re comfortable pushing back when a proposed design creates PCI risk — and you come with alternatives, not just objections.
• You’re organized enough to juggle inventory, testing, remediation, and QSA prep simultaneously without dropping things or waiting to be told what to do next.
• You’ve used a GRC platform (ServiceNow, Archer, Drata, Vanta, or similar) to track findings and evidence — and you have opinions about how it should be configured.

• Bachelor’s degree in Information Technology, Computer Science, Cybersecurity, or a related field, or equivalent experience doing the actual work.

• PCI ISA certification or active QSA qualification — this is a big one.
• Additional certifications: CISA, CISSP, CRISC, or cloud security certs (AWS Security Specialty, CCSK).
• Retail, e-commerce, or hospitality experience with complex, multi-channel cardholder data environments.
• Familiarity with other frameworks (SOX ITGC, HIPAA, CCPA) and experience contributing to a Common Control Framework.
• GRC platform implementation or configuration experience, including building control libraries and evidence workflows.
• PCI consulting or QSA firm background. You’ve seen a lot of programs — good and bad — and know what works.

Pay Range Details

The pay range(s) below has been provided in compliance with state specific laws. Pay ranges may be different for other locations. 
Pay offers are dependent on the location, as well as job-related knowledge, skills, and experience.

We’ve got you covered…

Our employees are our most important asset and that’s reflected in our benefits. Nordstrom is proud to offer a variety of benefits to support employees and their families, including:

• Medical/Vision, Dental, Retirement and Paid Time Away
• Life Insurance and Disability
• Merchandise Discount and EAP Resources

A few more important points...

The job posting highlights the most critical responsibilities and requirements of the job. It’s not all-inclusive. There may be additional duties, responsibilities and qualifications for this job.