Role Description

We are seeking a highly skilled PCI Compliance & Audit Governance Manager to serve as the dedicated end-to-end compliance owner for 2-3 assigned business units within our organization. In this critical role, you will act as the subject matter expert and primary point of accountability for Payment Card Industry Data Security Standard (PCI-DSS) compliance across your assigned scopes from day-to-day control monitoring through annual recertification and third-party audit management.

This position bridges the gap between technical security requirements and business operations, requiring a practitioner who can translate PCI-DSS mandates into actionable controls, work cross-functionally with IT, finance, legal, and business leadership, and drive a culture of sustained compliance across their assigned accounts.

Key Responsibilities

• End-to-End Compliance Governance
  • Serve as the sole compliance owner for 2–3 designated business unit scopes, maintaining comprehensive accountability for their PCI-DSS posture.
  • Define, implement, and continuously improve compliance governance frameworks tailored to each assigned business unit's operating model and cardholder data environment (CDE).
  • Establish and maintain scope boundary documentation, data flow diagrams, and network segmentation evidence for each assigned account.
  • Conduct regular compliance health assessments across all assigned scopes and report status to executive stakeholders via dashboards and governance reports.
  • Identify, document, and track control gaps, compensating controls, and risk acceptance decisions in alignment with PCI-DSS v4.0 requirements.
  • Partner with business unit leaders to embed compliance requirements into project intake, change management, and product development lifecycles.
• Annual PCI-DSS Recertification
  • Own the annual PCI-DSS recertification process for all assigned accounts, acting as the primary liaison with Qualified Security Assessors (QSAs) and internal stakeholders.
  • Develop and manage detailed recertification project plans, timelines, and RACI matrices to ensure on-time, audit-ready submissions.
  • Coordinate evidence collection from control owners across IT, operations, HR, and business units — validating completeness, accuracy, and audit readiness.
  • Maintain a continuous evidence repository and artifact management system to eliminate last-minute scrambles during assessment windows.
  • Review and respond to QSA Requests for Information (RFIs), findings, and preliminary observations on behalf of assigned business units.
  • Drive remediation of any deficiencies identified during assessments, tracking closure through established issue management workflows.
  • Complete and submit Attestations of Compliance (AOCs), Self-Assessment Questionnaires (SAQs), and Report on Compliance (ROC) documentation as applicable.
• Audit Management
  • Design and operate a structured audit management program covering all PCI-related internal and external audit activities for assigned scopes.
  • Manage QSA and internal audit relationships, scheduling, logistics, and stakeholder communication throughout engagement lifecycles.
  • Maintain and continuously improve the audit management toolset (GRC platforms, ticketing integrations, evidence portals) to support efficient, repeatable audit cycles.
  • Develop standardized audit response playbooks, evidence templates, and interview preparation guides for control owners.
  • Track all audit findings, management responses, and remediation milestones to closure — escalating aged or high-risk items to leadership.
  • Conduct post-audit retrospectives and incorporate lessons learned into governance processes and evidence collection practices.
• Control Monitoring & Continuous Compliance
  • Establish and oversee a control monitoring calendar aligned to PCI-DSS testing frequencies (daily, weekly, monthly, quarterly, annual) for each assigned scope.
  • Define Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs) for each PCI control domain within assigned business units.
  • Perform or coordinate quarterly vulnerability scan reviews, penetration test oversight, access reviews, and log review attestations.
  • Monitor threat intelligence and PCI SSC updates, proactively assessing impact of new requirements or guidance on assigned scopes.
  • Support third-party vendor assessments to verify that service providers used by assigned business units maintain their own PCI compliance.
• Stakeholder Engagement & Advisory
  • Act as the trusted compliance advisor for business unit leadership, providing clear, actionable guidance on PCI-DSS obligations and risk posture.
  • Deliver regular compliance status briefings and steering committee presentations for assigned accounts.
  • Provide PCI-DSS training and awareness sessions to control owners, IT staff, and business operations teams within assigned scopes.
  • Advise on new business initiatives, technology adoptions, and process changes to ensure PCI requirements are addressed proactively.
  • Collaborate with Legal, Privacy, and Risk teams to align PCI compliance activities with broader enterprise GRC strategy.

Qualifications

• Bachelor’s degree in information security, Computer Science, Information Systems, or a related field; combined 5 plus years professional experience considered.
• 5+ years of hands-on experience in PCI-DSS compliance, information security, or IT audit roles.
• Minimum 2 years of direct experience managing PCI-DSS assessments (QSA engagement, ROC/SAQ preparation) as a primary owner.
• Demonstrated experience managing compliance obligations for multiple business units or organizational scopes simultaneously.

Requirements

• 2 plus years working knowledge of PCI-DSS v4.0 requirements, SAQ types, and ROC/AOC processes.
• 2 plus years Strong understanding of network security concepts, segmentation controls, and cardholder data environment (CDE) scoping methodologies.
• Familiarity with vulnerability management processes, penetration testing oversight, and security monitoring in payment card environments.
• Experience with GRC platforms for audit and compliance management.
• Working knowledge of cloud environments (AWS, Azure, GCP) in PCI-scoped contexts.

Preferred Qualifications

• Experience in financial services, payments, retail, or e-commerce industries with large-scale PCI scopes.
• Prior experience working directly as or alongside a Qualified Security Assessor (QSA).
• Familiarity with related frameworks (SOC 2, ISO 27001, NIST CSF) and control mapping across standards.
• Experience managing service provider PCI compliance oversight and third-party risk programs.
• Exposure to tokenization, point-to-point encryption (P2PE), and other PCI scope-reduction technologies.
• Scripting or automation experience to streamline evidence collection and monitor workflows.

Benefits

• Health and Welfare Benefits: Our health and welfare benefits can be tailored to fit you and your family's needs and start on the first day of employment.
• Retirement Savings: We will support you as you save for your future.
• Employee Discounts: We offer you access to a vast selection of global, national, and local discounts on merchandise, services, travel, and more.
• Career Growth Opportunities: We help you thrive, so together, we can grow. We provide opportunities to advance your career with a vast portfolio of businesses and a global footprint.
• Paid Training: Earn while you learn and continue to grow with access to award-winning learning platforms throughout your Conduent career.
• Paid time off: We provide attractive paid time off packages designed for you to enjoy your life away from work.
• Great Work Environment: We are proud of our award-winning culture and the recognition we’ve received for our diversity efforts.