Sr. Governance, Risk & Compliance Analyst

Job Title: Senior GRC AnalystReports To: VP, Infrastructure & SecurityFLSA Status: ExemptDepartment: TechnologyJOB SUMMARY: Responsible for leading the organization's governance, risk, and compliance program with a primary focus on PCI DSS, SOC 2 (Type I & II), and banking partner security oversight. This role serves as the primary point of contact for external auditors, QSAs, and bank partners, ensuring the organization maintains a strong, audit ready security posture aligned with regulatory expectations and contractual obligations.ESSENTIAL JOB FUNCTIONS:PCI DSS Program OwnershipOwn and manage the end-to-end PCI DSS compliance program, including scope definition, control validation, evidence collection, and remediation trackingServe as the primary liaison with external Qualified Security Assessors (QSAs) for annual assessments, ROC/AOC delivery, and ongoing advisory supportCoordinate quarterly ASV scans, penetration testing, and continuous compliance activitiesMaintain PCI related policies, procedures, and responsibility matrices aligned with PCI DSS 4.0 expectations and bank partner requirementsSOC 2 Governance & Audit ManagementLead annual SOC 2 Type II readiness and examinations across all Trust Service Criteria (Security, Availability, Confidentiality, Processing Integrity, Privacy)Manage audit timelines, evidence requests, auditor communications, and management responsesPartner with internal teams to ensure control design and operating effectiveness are maintained throughout the yearDrive continuous improvement initiatives based on audit observations and risk assessment outcomesBanking Partner & Third-party Security OversightAct as the primary security point of contact for banking partners, responding to due diligence requests, security questionnaires, and onsite/virtual assessmentsSupport new bank integrations by providing security documentation, control mappings, and risk summariesCoordinate remediation activities tied to bank partner findings or contractual security requirementsBuild trusted relationships with partner risk, compliance, and information security teamsRisk Management & GRC OperationsOwn the enterprise risk assessment process, including risk identification, analysis, treatment planning, and executive reportingMaintain audit ready documentation within the GRC platform, ensuring traceability across risks, controls, and remediation plansPartner with Vendor Management and Legal to support third party risk assessments and contract security requirementsDevelop and maintain security policies, standards, and procedures aligned with SOC 2, PCI DSS, NIST CSF, and banking expectationsLeadership & Cross Functional CollaborationProvide guidance and oversight to GRC analysts or compliance contributors (direct or matrixed)Translate complex regulatory requirements into clear, actionable guidance for technical and business teamsDeliver executive level updates on compliance posture, audit status, and risk trendsSupport board level and executive reporting as needed for audits, bank reviews, and regulatory inquiriesMINIMUM QUALIFICATIONS: To perform this job successfully, an individual must be able to perform each essential duty satisfactorily. The requirements listed below are representative of the minimum knowledge, skill, and/or ability required. Reasonable accommodations may be made to enable individuals with disabilities to perform essential functions.Bachelor's degree in Information Security, Cybersecurity, Information Technology, Risk Management, or a related field, preferred.5+ years of experience in Information Security, Compliance, or Risk Management.Deep hands-on experience managing PCI DSS programs in regulated or bank integrated environments.Proven experience leading SOC 2 Type I & II audits end-to-end.Strong understanding of banking partner security expectations, third-party risk management, and regulatory oversight.Experience working cross function with Security Engineering, Infrastructure, Legal, and Compliance teams.Experience in FinTech, banking, or highly regulated SaaS environments, preferred.Familiarity with NIST CSF, ISO 27001, and vendor risk frameworks, preferred.Hands-on experience with GRC tooling (risk registers, evidence repositories, workflow automation) , preferred.Relevant certifications: CISSP, CISA, CISM, PCI ISA, or QSA (or working toward).COMPETENCIES:Customer Service: Exceptional attitude and a passion for providing outstanding service to internal customers.Regulatory & Compliance Knowledge: Strong understanding of frameworks such as PCI DSS, SOC 2, NIST, and ISO 27001; applies requirements effectively across the organization.Risk Assessment & Analysis: Identifies, evaluates, and prioritizes risks; translates findings into actionable mitigation plans.Audit Management: Supports audit readiness through control validation, evidence management, and timely remediation of findings.Attention to Detail: Ensures accuracy and completeness in documentation, controls, and audit artifacts; maintains an audit-ready environment.Communication: Clearly communicates complex compliance and security concepts to technical and non-technical stakeholders.Stakeholder Management: Builds effective relationships with internal teams, auditors, and banking partners; responds to requests with professionalism and urgency.Problem Solving: Analyzes issues and implements practical solutions that balance regulatory requirements and business needs.Collaboration: Works cross-functionally with Security, Engineering, Legal, and Compliance teams to drive GRC initiatives.Accountability & Ownership: Takes ownership of deliverables and follows through on commitments in a timely and reliable manner.SUPERVISORY RESPONSIBILITYNonePHYSICAL DEMANDSWhile performing the duties of this job, the employee is regularly required to stand, walk, reach, and sit for a minimum of 8 hours with or without reasonable accommodation. The employee is required to use hands to finger, handle, or feel objects and/or tools. The employee is required to talk or hear with or without reasonable accommodation and must sometimes lift and move up to 10 pounds.WORK ENVIRONMENTWhile performing the logistics duties of this job, the employee is frequently exposed to moderate noises such as computers, printers, and other light traffic noise in an office setting.This role is in-office. Remote work may be performed from a pre-approved location, as arranged, and scheduled by team management and approved by department leadership.OTHER DUTIESPlease note this job description is not designed to cover or contain a comprehensive listing of activities, duties or responsibilities that are required of the employee for this job. Duties, responsibilities, and activities may change or be supplemented at any time with or without notice. Equal Opportunity Employer This employer is required to notify all applicants of their rights pursuant to federal employment laws. For further information, please review the Know Your Rights notice from the Department of Labor.

Created: 2026-04-02