PCI Compliance Senior Advisor and Internal Assessor

Located on the traditional, ancestral and unceded lands of the xʷməθkʷəy̓əm (Musqueam), Sḵwx̱wú7mesh (Squamish), and səlilwətaɬ (Tsleil-Waututh) Peoples, Vancouver has a commitment to becoming a City of Reconciliation. Vancouver consistently ranks as one of the world’s most liveable cities and is working towards being the greenest city in the world. Named among Canada's Top 100 Employers, BC's Top Employers, and Canada's Greenest Employers, the City of Vancouver seeks colleagues who can help shape and embody our core commitments to sustainability, reconciliation, equity and outstanding quality of life for all residents.

Consider joining our committed team of staff and being part of an innovative, inclusive and rewarding workplace.

Main Purpose and Function

Risk Management is responsible for providing risk mitigation strategies to ensure ongoing compliance with Payment Card Industry (“PCI”) data security standards, by staying abreast of industry best practices, by promoting risk awareness among business units, and by ensuring that proper documentation and audit evidence is available to support ongoing compliance and re-certification requirements. Risk Management plays a key role in mitigating the serious financial, reputational, and operational risks due to non-compliance.

The PCI Compliance Senior Advisor and Internal Assessor is a specialized advisory and complex analytical role in the field of information and payments technology. This role is responsible for providing technical advice and strategic decision-making support to the Senior Manager, Cyber Risk and PCI Compliance in order to facilitate the City’s strategic design and implementation of payment channels. As a subject matter expert, this role performs compliance monitoring, business process analysis, and makes recommendations for corrective action, process improvement, and documentation in accordance with the City’s PCI Compliance Policy and external PCI Data Security Standards.

Specific Duties and Responsibilities

Compliance Planning and Analytics

• Develops action plans to manage compliance against PCI data security standards.
• Makes recommendations for corrective action, process improvement, and documentation in accordance with the City’s PCI Compliance Policy and external PCI Data Security Standards.
• Formalizes risks, develops audit plans, and implements key internal controls associated with business unit processes and procedures.
• Initiates and maintains relationships with the PCI compliance community to anticipate security standard evolution.
• Develops, maintains, and publishes educational and security training content for the PCI awareness campaign.
• Prepares executive management reporting and analytics.
• Manages relationship with external consultants, as necessary.
• Organizes and manages PCI technical artifacts for yearly audits.
• Prepares reports, presentations, correspondence and other materials related to work.

Project Management and Strategic Business Support

• Obtains documentation (i.e. flow diagrams) from business units that map out the flow of payment information from the point that it’s acquired from the customer to the point that it flows through the payment processing activities.
• Responds to service requests and general inquiries related to compliance and audit requirements by managing the PCI e-mail inbox.
• Assesses new or change requests to payment channels.
• Executes necessary due diligence of all proposed third-party service provider payment channels/business models.
• Maintains business unit technical intelligence and recommends technical measures that align with compliance requirements within existing and potential payment channels.
• Creates content and maintains PCI document library related to payment channels, audit and certifications, business unit and standards intelligence, education material, and internal PCI webpage.
• Advises Business Units in the creation of end-user documentation that describes compliance related processes, procedures, and compensating controls.
• Works with departmental staff and with analysts to define issues and incidences of non-compliance, analyses information, and determines solutions.
• Develops relationships and negotiates with business unit leaders to implement compliance solutions and consistent compliance with City’s PCI Compliance Policy.
• Partners with the IT Department to assess new or change requests to payment channels.
• Recommends industry best practices for compliance and operational efficiencies.
• Manages and executes necessary due diligence of all proposed third-party service provider payment channels/business models.
• Oversees change management activities related to the City’s cardholder data environment.

Risk Management and Mitigation

• Performs on-going assessments and monitoring of technical controls, documentation, procedures, processes, and proper operating of internal controls.
• Leads PCI specific audits and risk assessments of business units and recommends policy, procedure, and process improvements to ensure ongoing compliance.
• Documents non-compliance incidences.
• Tracks and facilitates the remediation of technical and audit compliance related issues identified through gap analysis.
• Recommends internal controls improvements, remediation actions and work breakdown structures to ensure any identified audit gaps are addressed in a timely manner for ongoing compliance.
• Reviews and analyses vulnerability assessments to identify control weaknesses.
• Assesses the effectiveness of existing internal controls and recommends improvements.
• Implements key controls associated with business processes and procedures.

Other duties/responsibilities and projects as assigned.

Qualifications

Education and Experience:

• Post-secondary graduation in Information Management, Information Technology, or Applied Sciences; considerable related experience in a large enterprise or consulting firm advising large enterprise clients; or an equivalent combination of training and experience
• Project Management Professional (“PMP”) or previous PCIP certification or equivalent designation
• Working experience in leading and executing risk assessments in large enterprise environments
• Strong technical background and experience working in Network Technology, Software Engineering, Computer Science, Engineering, Business or Business Technology Management discipline is required
• Ability to meet transportation requirements

Knowledge, Skills and Abilities:

• Thorough knowledge of PCI Data Security Standards
• Working knowledge of the Information Technology function, IT Security, IT systems, and processes related to Cyber Risk Management
• Strong knowledge of process development and mapping business and IT processes using systems analysis techniques
• Up-to-date knowledge on IT and security-based compliance and auditing standards, along with their documentation requirements
• Project management skills to manage competing priorities and to deliver results under aggressive timelines
• Excellent inter-personal and diplomatic skills to navigate dynamic personalities Clear and succinct communication (written and verbal) skills
• Creative and critical thinking skills to challenge ideas, processes, and procedures
• Strong research, analytical, and problem-solving skills and an attention to detail
• Strong process development, process mapping, and re-engineering skills
• Ability to independently identify risks, perform complex analysis, and present thorough and persuasive recommendations.
• Ability to prepare and maintain reports, presentations, correspondence, and other related materials using Microsoft Office
• Ability to collect, analyze and evaluate information for decision-making purposes
• Ability to present to executive management and to generate compliance reporting
• Ability to establish and maintain effective liaison and working relationships with a variety of senior level internal and external contacts
• Ability to combine business acumen, technical acumen, and process expertise to define control requirements
• Ability to lead, motivate, and instill a results-oriented attitude across the organization
• Aptitude to adapt to dynamic environments and to rapidly comprehend diverse/complex business models and technology
• Ability to independently identify risks, perform complex analysis, and present thorough and persuasive recommendations

Where operationally appropriate and subject to change, the City of Vancouver has a Flexible Work Program. This program allows staff to work remotely 1 – 2 days a week from locations that are a daily commutable distance from their work at a City worksite. At this time this position is eligible to be part of the Flexible Work Program.

Business Unit/Department:Finance, Risk & Supply Chain Management (1150)

Affiliation:CUPE 15 Non Pks

Employment Type:Regular Full Time

Position Start Date: August, 2024

Salary Information: Pay Grade GR-033: $61.13to $72.45per hour

At the City of Vancouver, we are committed to recruiting a diverse workforce that represents the community we so proudly serve. Indigenous peoples, people of colour, 2SLGBTQ+ persons including all gendersand persons with disabilities are encouraged to apply.Accommodations will be provided upon request during the selection process.Learn more aboutour commitment to diversity and inclusion .

Before you click Apply now

Once you start your application you can save your work and leave the applications page, however please remember to submit your profile to the specific job requisition before the posting closing date.

In addition to uploading your cover letter and resume, part of the application process may include answering application questions related to the preferred requirements of the role which may take approx. 5-10 minutes. Cover letters should express interest and highlight additional information relevant to the position and resumes should include a summary of skills and experience related to the position.

Find even more open roles in Ethical Hacking, Pen Testing, Security Engineering, Threat Research, Vulnerability Management, Cryptography, Digital Forensics and Cyber Security in general - ordered by popularity of job title or skills, toolset and products used - below.