GRC Manager (PCI-DSS Focus)
You'll own PCI-DSS end to end: getting us certified as a service provider, passing the audit, and keeping the status year after year. That means leading the scoping work, defining the cardholder data environment, driving remediation, and managing the relationship with the QSA. The part that matters most: you can take a compliance requirement and turn it into something real. A PCI control is not closed because a policy says so. It's closed when there's a technical or process change that actually satisfies it, and evidence that it works. We need someone who can sit with engineering and infrastructure, translate a requirement into a concrete solution, and make sure it sticks. Beyond PCI, you'll bring leadership to the wider GRC program: risk, audits, frameworks, and the discipline that keeps us continuously ready rather than scrambling before each examination. You'll report to the Group CISO with the autonomy to run compliance as your own area. Justification Card issuing and payments revenue depend on PCI-DSS certification, and we don't currently have anyone who owns that program or the service provider compliance posture behind it. The work requires someone senior enough to lead scoping and audit, technical enough to translate requirements into real controls, and disciplined enough to keep the status maintained rather than letting it lapse between audits. This role provides that ownership and strengthens the GRC function overall.
Responsibilities
PCI-DSS certification and maintenance Own the PCI-DSS program end to end as a service provider: scoping, gap assessment, remediation, certification, and annual maintenance Define and minimize the cardholder data environment; drive segmentation and scope reduction with engineering and infrastructure Manage the QSA relationship: scoping workshops, evidence packages, assessment, and findings Keep the certification live between audits: quarterly requirements, ongoing evidence, control monitoring Translating compliance into reality Turn PCI and other framework requirements into concrete technical and organizational solutions, working directly with engineering and infrastructure teams Distinguish between a control that exists on paper and one that actually works, and insist on the latter Design the processes and evidence flows that keep controls satisfied without constant manual effort Audit and assurance Lead internal and external audits: scope, evidence, finding responses, closure Build and maintain an evidence base that supports continuous readiness across PCI, ISO 27001, and BSP Coordinate the ISO 27001 surveillance cycle GRC leadership Bring structure and ownership to the wider compliance and risk program Maintain the risk register as a working document and drive treatment with system owners Run vendor security assessments and track third-party compliance obligations Report compliance posture clearly to leadership and governance committees
Requirements
Experience 6+ years in security GRC, compliance, or audit, with real ownership of a compliance program Has led a PCI-DSS certification end to end, ideally as a service provider, and maintained the status across cycles Has managed a QSA relationship and run a real audit, not just supported one Has led cardholder data environment scoping and segmentation decisions with technical teams Comfortable across at least PCI-DSS and one of ISO 27001 or a banking framework (BSP MORB or equivalent) Worked in a regulated environment where compliance was enforced, not aspirational What sets the right person apart Can translate a compliance requirement into a specific technical or process change, and explain it to engineers in their terms Understands the technology well enough to know whether a proposed control actually satisfies the requirement Treats certification as a state to maintain, not a one-time project Builds evidence and monitoring into how controls run, rather than collecting it under deadline pressure Technical understanding Solid grasp of network segmentation, access control, encryption, logging, and the other technical domains PCI touches Enough literacy in cloud (AWS), identity, and infrastructure to hold a credible conversation with engineering about how a control is implemented Comfortable working in Jira and Confluence, and open to building automation around evidence and reviews Nice to have Experience with a GRC platform (Vanta, Thoropass, ServiceNow GRC, or similar) Familiarity with BSP examination processes or Philippine financial services regulation Certifications: PCI-DSS ISA, CISA, CRISC, CISSP, ISO 27001 Lead Auditor or Implementer Communication Strong written and verbal English; most work is async and documentation quality matters Can lead a working session with engineering and a reporting conversation with leadership equally well