We're hiring a Senior DevSecOps Engineer to own the security posture of a production platform that processes millions of real-time transactions for thousands of merchants. You'll report to the Director of DevOps & SecOps and work alongside a small, high-trust infrastructure team. This is a senior individual contributor role with real scope. You'll drive our PCI DSS 4.0 program end to end - not only the evidence collection, but the architectural decisions that determine what evidence we need to collect in the first place. You'll own our SOC 2 continuous monitoring. You'll decide how security gets enforced in our CI/CD pipelines in a way that keeps developers moving rather than routing around you. Because we handle payment data in a fraud-prevention context, the security work here has an unusually short path to business risk - weak controls don't just invite auditors, they put customer trust on the line. You'll own the full container security architecture and make the design decisions that shape how we scan at build time and protect workloads at runtime. You'll push compliance automation until evidence is a byproduct of how our systems run, not a quarterly project. You'll evaluate security tooling for this environment and bring a point of view on what we should commit to next. And you'd be a primary voice in how we interpret and meet PCI DSS 4.0's newer requirements - the ones that demand engineering judgment, not just checkbox compliance. Our stack is primarily AWS, heavily Terraform-managed, with workloads running across a mix of compute services and a container orchestration migration underway. We run multiple CI/CD systems, centralized secrets management, and modern observability and security monitoring across the platform. We're opinionated about Infrastructure-as-Code; we're less opinionated about which specific tools solve a given problem, and we expect the person in this role to bring a point of view on what we should standardize on next. This is a team that takes security seriously and has built real infrastructure around it - you'd be joining to raise the bar further, not to start from scratch. PCI DSS 4.0 introduces requirements that demand engineering judgment, not just checkbox compliance, and we're looking for someone who can help us interpret what those mean for our specific environment. You've spent six or more years securing production cloud environments - the specifics matter less to us than the trajectory: did the problems get harder, did your ownership grow, and can you point to outcomes that mattered? You're fluent in Terraform and AWS at the level where IAM policy decisions come from experience, not from re-reading the docs each time - the kind of fluency you get from having cleaned up a bad VPC peering mistake, not from passing a certification exam. You write Python and Bash well enough that when you see a manual process, your instinct is to automate it before the third time you do it. You've led at least one compliance implementation - PCI, SOC 2, HITRUST, FedRAMP; the shape of the work matters more than the specific framework - and you came out of it knowing which controls actually reduced risk in your environment and which ones existed only to satisfy an auditor who would never check twice. We care a lot about how you think about the engineering relationship. Security people who treat developers as adversaries don't fit here. When a developer routes around a security control here, your first question should be what made the control annoying enough to dodge - not how to lock the bypass down harder. Good communication is a real part of the job - you'll spend meaningful time with auditors, with leadership, and with engineers who don't think about security full-time, and moving between those audiences is work we need you to do well. Experience in payments, fraud prevention, or any regulated-data domain is a plus. Certifications are not required; we evaluate on what you've built and how you reason about trade-offs.