Toast is driven by building the restaurant platform that helps restaurants adapt, take control, and get back to what they do best: building the businesses they love.

The Technical Governance, Risk and Compliance (Technical GRC) team enables the growth of Toast as we build secure products and enter new markets while meeting industry and regulatory requirements. Our team is a second-line function, providing oversight and leadership to a first-line team designed for high-velocity product innovation and development.

We are currently seeking a Principal Analyst for Technical Compliance who will be responsible for overseeing all aspects of Toast's PCI Compliance Program. In this role, you will collaborate with various teams throughout Toast, including Product, Infrastructure Engineering, IT Security, Developers, Legal, and Risk to ensure our products and processes are following PCI standards.  The successful candidate will report directly to the Senior Director of Technical Compliance who is responsible for establishing and maintaining compliance programs across Toast globally. 

About this roll* (Responsibilities)

Audit / Assessment Management 

• Lead the planning and execution of PCI assessments of the Toast payment solutions and environments, which includes interpreting and assessing controls using compliance frameworks with a focus on payment card compliance and security (e.g. PCI-DSS, PCI-SSF, PTS, PIN Security Requirements, and P2PE).
• Coordinate with external assessors (QSA / other), process/control owners, and other key internal / external stakeholders to streamline the assessment process for gained efficiencies, including activities related to collecting evidence and refining the relevant runbooks. 
• Own and manage the budget for external assessments including agreeing to fees and tracking. 
• Lead the monitoring of the implementation and validation of any recommended remediations from internal or external assessments. 

Readiness and other compliance support activities 

• Define and lead activities to support ongoing PCI program health and maturity.
• Document and maintain cardholder data environment scope narratives and supporting evidence.
• Monitor business activities by collaborating with cross-functional team leaders to ensure the organization maintains compliance with external certifications.
• Advise and consult with internal teams on PCI related initiatives and programs, development of a continuous monitoring program and provide general PCI-related support to technical teams.
• Perform ongoing design and operating effectiveness reviews to identity changes impacting relevant products and infrastructure and work with teams on compliance readiness roadmaps. 
• Manage and respond to customer requests regarding PCI compliance.
• Create and maintain documentation to support the PCI Management Program.
• Develop and deliver training on PCI topics to relevant stakeholders.
• Collaborate with other members of the GRC team on team-wide initiatives. 

Do you have the right ingredients*? (Requirements)

• Experience (8+ years) in Security GRC, IT security, or a related field, with in-depth working knowledge of PCI standards including PCI DSS, preferably inside fast growing companies.
• A strong understanding of cloud computing architectures and security patterns, including assessing and implementing PCI controls in such environments. 
• High levels of curiosity, persistence, and a grounded approach to getting things done
• Familiarity with GRC (Governance, Risk, and Compliance) solutions, tools, platforms, and Enterprise Risk Management (ERM) processes.
• Knowledge of industry security, audit, and privacy standards, frameworks, and regulations, such as PCI DSS (and other PCI standards), ISO27001, COBIT, SSAE18, GDPR, EBA’s ICT, DORA. 
• Relevant industry certifications such as CISSP (Certified Information Systems Security Professional), CISA (Certified Information Systems Auditor), CISM (Certified Information Security Manager) OR equivalent expertise. QSA certification / experience preferred.

Our Spread* of Total Rewards
We strive to provide competitive compensation and benefits programs that help to attract, retain, and motivate the best and brightest people in our industry. Our total rewards package goes beyond great earnings potential and provides the means to a healthy lifestyle with the flexibility to meet Toasters’ changing needs. Learn more about our benefits at https://careers.toasttab.com/toast-benefits.

*Bread puns encouraged but not required

#LI-Remote