PCI DSS SAQ D Service Provider Lead

FYI is seeking a PCI DSS SAQ D Service Provider Lead to support an active PCI compliance program for a SaaS/cloud/payment-adjacent environment. This role will own the PCI domain in a fractional capacity, including PCI scoping support, evidence sufficiency review, quarterly scan cadence, penetration testing evidence, remediation tracking, and responses to auditors, QSAs, processors, banks, or other requesting entities. The right candidate has done this work before and can drive their lane without constant prompting., * Support PCI DSS SAQ D Service Provider readiness, scoping, evidence review, and control interpretation.

• Review PCI scope assumptions, in-scope systems, applications, integrations, service providers, and payment/data-flow considerations.
• Coordinate and review evidence for quarterly external ASV scans and internal vulnerability scans.
• Coordinate PCI-relevant penetration testing evidence, including scope, rules of engagement, final report review, remediation, and retest evidence.
• Review evidence for file integrity monitoring, encryption, MFA, IAM, logging, monitoring, change control, secure development, vulnerability management, and remediation tracking where relevant to PCI DSS.
• Identify weak, incomplete, stale, unclear, or nonresponsive evidence before submission.
• Draft or review PCI-related auditor, QSA, processor, or requesting-entity responses.
• Support tracking of PCI remediation items, exceptions, compensating-control discussions, and risk acceptance needs.
• Help define and maintain recurring PCI compliance cadence, including quarterly scans and annual validation activities.
• Provide concise written status updates, blockers, risks, and next actions to the project manager and CISO/vCISO., Expected deliverables
• PCI DSS SAQ D evidence and gap tracker inputs.
• PCI scope notes, assumptions, and issue summaries.
• ASV and internal vulnerability scan evidence checklists.
• Penetration testing evidence checklist and report sufficiency review notes.
• PCI remediation tracker updates and risk summaries.
• PCI auditor/requesting-entity response drafts.
• PCI quarterly and annual compliance calendar inputs.

Operating style required

This role requires a senior operator who can own the PCI lane in a fractional capacity. The contractor must communicate clearly, document next actions, identify blockers early, and coordinate through the project manager. This is not a casual side task. Responsiveness, ownership, and clean written work product are required.

Do you have experience in Vuls?, * 8+ years of cybersecurity, GRC, IT audit, compliance, security consulting, or related experience.

• Direct hands-on experience supporting PCI DSS assessments.
• Direct experience with PCI DSS SAQ D; Service Provider experience is strongly preferred.
• Experience with SaaS, cloud-hosted, fintech, payment, or payment-adjacent environments.
• Working knowledge of ASV scanning, internal vulnerability scanning, penetration testing evidence, vulnerability remediation, IAM/MFA, encryption, logging, monitoring, FIM, change control, and secure development requirements.
• Ability to translate PCI requirements into practical tasks for engineering, IT, security, and business stakeholders.
• Strong written communication skills and ability to produce audit-ready summaries and responses.
• Ability to work through ambiguity and distinguish sufficient evidence from weak or incomplete evidence.

Nice to have

• Prior QSA, ISA, or QSA-firm experience.
• PCI DSS v4.x experience.
• CISA, CISSP, CISM, Security+, or equivalent certification.
• Experience with Drata, Vanta, Secureframe, Hyperproof, Jira, Confluence, AWS, Azure, GCP, or similar platforms.
• SOC 2 familiarity, especially where controls overlap with PCI DSS.

Pulled from the full job description

• Pet insurance
• 401(k), FYI's Benefits/Incentives: What is in it for you?
• Opportunity to work a hybrid work schedule
• A knowledgeable, high-achieving, diverse, experienced, and fun team.
• The chance to be part of a rapidly growing company and the next success story.
• A competitive base salary with a loaded benefits package plus 401K.
• Tuition/education assistance, personal computer allowance, pet insurance.

FYI - For Your Information, Inc. is an SBA certified, Woman-Owned Small Business and GSA schedule holder that is a premier provider of Human Capital, Training, and Information Technology services. We have won awards for being a Great Place to Work and continue to make ground-breaking advancements. For four years in a row, we have been on Inc. Magazine's 5000 list and were recently named one of Inc.'s 2024 Mid-Atlantic Fastest Growing companies.