Need help hiring top legal talent? Contact our team.
Company logo

Principal PCI Compliance Analyst

Posted Jul 09
Full Time
United States

Toast is driven by building the restaurant platform that helps restaurants adapt, take control, and get back to what they do best: building the businesses they love.

The Technical Governance, Risk and Compliance (Technical GRC) team enables the growth of Toast as we build secure products and enter new markets while meeting industry and regulatory requirements. Our team is a second-line function, providing oversight and leadership to a first-line team designed for high-velocity product innovation and development.

We are currently seeking a Principal Analyst for Technical Compliance who will be responsible for overseeing all aspects of Toast's PCI Compliance Program. In this role, you will collaborate with various teams throughout Toast, including Product, Infrastructure Engineering, IT Security, Developers, Legal, and Risk to ensure our products and processes are following PCI standards. The successful candidate will report directly to the Senior Director of Technical Compliance who is responsible for establishing and maintaining compliance programs across Toast globally.

*About this roll (Responsibilities)

_Audit / Assessment Management


  • Lead the planning and execution of PCI assessments of the Toast payment solutions and environments, which includes interpreting and assessing controls using compliance frameworks with a focus on payment card compliance and security (e.g. PCI-DSS, PCI-SSF, PTS, PIN Security Requirements, and P2PE).
  • Coordinate with external assessors (QSA / other), process/control owners, and other key internal / external stakeholders to streamline the assessment process for gained efficiencies, including activities related to collecting evidence and refining the relevant runbooks.
  • Own and manage the budget for external assessments including agreeing to fees and tracking.
  • Lead the monitoring of the implementation and validation of any recommended remediations from internal or external assessments.

_Readiness and other compliance support activities


  • Define and lead activities to support ongoing PCI program health and maturity.
  • Document and maintain cardholder data environment scope narratives and supporting evidence.
  • Monitor business activities by collaborating with cross-functional team leaders to ensure the organization maintains compliance with external certifications.
  • Advise and consult with internal teams on PCI related initiatives and programs, development of a continuous monitoring program and provide general PCI-related support to technical teams.
  • Perform ongoing design and operating effectiveness reviews to identity changes impacting relevant products and infrastructure and work with teams on compliance readiness roadmaps.
  • Manage and respond to customer requests regarding PCI compliance.
  • Create and maintain documentation to support the PCI Management Program.
  • Develop and deliver training on PCI topics to relevant stakeholders.
  • Collaborate with other members of the GRC team on team-wide initiatives.

*Do you have the right ingredients? (Requirements)

  • Experience (8+ years) in Security GRC, IT security, or a related field, with in-depth working knowledge of PCI standards including PCI DSS, preferably inside fast growing companies.
  • A strong understanding of cloud computing architectures and security patterns, including assessing and implementing PCI controls in such environments.
  • High levels of curiosity, persistence, and a grounded approach to getting things done
  • Familiarity with GRC (Governance, Risk, and Compliance) solutions, tools, platforms, and Enterprise Risk Management (ERM) processes.
  • Knowledge of industry security, audit, and privacy standards, frameworks, and regulations, such as PCI DSS (and other PCI standards), ISO27001, COBIT, SSAE18, GDPR, EBA’s ICT, DORA.
  • Relevant industry certifications such as CISSP (Certified Information Systems Security Professional), CISA (Certified Information Systems Auditor), CISM (Certified Information Security Manager) OR equivalent expertise. QSA certification / experience preferred.

*Our Spread of Total Rewards

We strive to provide competitive compensation and benefits programs that help to attract, retain, and motivate the best and brightest people in our industry. Our total rewards package goes beyond great earnings potential and provides the means to a healthy lifestyle with the flexibility to meet Toasters’ changing needs. Learn more about our benefits at

  • Bread puns encouraged but not required

The base salary range for this role is listed below. The starting salary will be determined based on skills and experience. In addition to base salary, our total rewards components include cash compensation (overtime, bonus/commissions if eligible), equity, and benefits.

Pay Range

$147,000—$235,000 USD

We are Toasters

Diversity, Equity, and Inclusion is Baked into our Recipe for Success.

At Toast our employees are our secret ingredient. When they are powered to succeed, Toast succeeds.

The restaurant industry is one of the most diverse industries. We embrace and are excited by this diversity, believing that only through authenticity, inclusivity, high standards of respect and trust, and leading with humility will we be able to achieve our goals.

Baking inclusive principles into our company and diversity into our design provides equitable opportunities for all and enhances our ability to be first in class in all aspects of our industry.

*Bready to make a change? Apply today!

Toast is committed to creating an accessible and inclusive hiring process. As part of this commitment, we strive to provide reasonable accommodations for persons with disabilities to enable them to access the hiring process. If you need an accommodation to access the job application or interview process, please contact