Senior Security GRC Analyst; PCI ISA Specialist
Job in
Austin, Travis County, Texas, 78719, USA
Listed on 2026-06-05
Listing for:
BigCommerce
Full Time
position Listed on 2026-06-05
Job specializations:
-
IT/Tech
Cybersecurity, Information Security, Data Security, IT Consultant
Job Description & How to Apply Below
Welcome to the Agentic Commerce Era
At Commerce, our mission is to empower businesses to innovate, grow, and thrive with our open, AI-driven commerce ecosystem. As the parent company of Big Commerce, Feedonomics, and Makeswift, we connect the tools and systems that power growth, enabling businesses to unlock the full potential of their data, deliver seamless and personalized experiences across every channel, and adapt swiftly to an ever-changing market.
We believe in harnessing AI responsibly to unlock new possibilities, and we're looking for individuals who use it intentionally to solve problems, accelerate outcomes, and expand what's possible in their role. Our purpose is to help businesses confidently solve complex commerce challenges so they can build smarter, adapt faster, and grow on their own terms. If you want to be part of a team of bold builders, sharp thinkers, and technical trailblazers who shape the future of commerce, this is the place for you.
As a Senior Security GRC Analyst and Internal Security Assessor (ISA), you will serve as the primary Subject Matter Expert (SME) for our global PCI DSS program operate a highly mature PCI DSS 4.0 environment; your mission is to lead the continuous evolution of this program, ensuring that compliance is integrated into our "business as usual" (BAU) operations.
While your primary focus is PCI, you will be a key player in our broader GRC function, supporting our SOC2 and ISO 27001 certifications. You will act as the technical bridge between our Engineering, Infrastructure, and IT teams and external auditors, ensuring that our high-security standards are documented, validated, and maintained.
What You'll Do:
PCI SME & Internal Security Assessor (ISA)
* ISA Leadership:
Serve as the officially designated PCI ISA for the organization. Manage the annual assessment lifecycle, including scoping, evidence collection, and validation of controls.
* PCI 4.0 Evolution:
Direct the ongoing maintenance of our PCI 4.0 program, with a specific focus on managing Targeted Risk Analyses (TRAs) and the customized approach where applicable.
* Scoping & Segmentation:
Partner with Cloud Engineering to validate PCI scope across our global footprint, ensuring effective network segmentation and data flow isolation.
* QSA Liaison:
Act as the primary point of contact for our external QSA, defending our control environment and streamlining the audit process to minimize disruption to technical teams.
* Continuous Compliance:
Operationalize PCI requirements (e.g., quarterly scans, penetration test remediation) into automated workflows.
Multi-Framework Audit Management
* Unified Control Framework:
Support the broader GRC team in managing our SOC2 Type 2, ISO 27001, and other regulatory audits (as seen on ).
* Technical Advisory:
Provide GRC perspective on architectural designs, product launches, and infrastructure changes to ensure "compliance by design."
* Remediation Management:
Track and drive the remediation of audit findings and security gaps, working closely with asset owners to find pragmatic, secure solutions.
Who You Are:
* Experience:
6+ years in an Information Security or IT Audit role, with at least 3 years of deep focus on PCI DSS within a major cloud-native environment.
* Certification:
Active PCI ISA (Internal Security Assessor) or PCI QSA certification is mandatory.
* Regulatory Expertise:
Thorough understanding of PCI DSS 4.0 requirements and the practical application of the standard in modern environments.
* Audit Fluency:
Proven experience leading Level 1 Service Provider assessments.
* Communication:
Ability to explain complex compliance requirements to developers and business leaders in a way that emphasizes enablement rather than "blockage."
Preferred Qualifications
* Broad Framework Knowledge:
Experience with SOC2 and ISO 27001:2022.
* Cloud Security:
Experience with GRC automation and familiarity with modern cloud-native security and observability tools.
* Automation Mindset:
Experience using GRC platforms and a desire to automate manual evidence collection to reduce audit fatigue.
About You
* You understand the "Why":
You don't just "do compliance"; you understand the security intent behind every control and can help teams meet the requirement in a way that actually improves our security posture.
* Technical Curiosity:
You are comfortable diving into technical configurations (IAM policies, VPC flow logs, etc.) to verify control effectiveness yourself.
* Adaptable:
You enjoy the challenge of a high-paced environment where scale and security must coexist and evolve together.
This is a Hybrid role - Beginning March 1, 2026, employees who live within commuting distance of a Dedicated Office will be expected to be in the office three days per week.
#LI-KE1
#LIHYBRID
(Pay Transparency Range: $88,951.00 - $)
Compensation Transparency
The national base salary range for this role is posted above in this job post.
Final compensation will be determined based on factors such as relevant experience, skills,…
Position Requirements
10+ Years
work experience
To View & Apply for jobs on this site that accept applications from your location or country, tap the button below to make a Search.
(If this job is in fact in your jurisdiction, then you may be using a Proxy or VPN to access this site, and to progress further, you should change your connectivity to another mobile device or PC).
(If this job is in fact in your jurisdiction, then you may be using a Proxy or VPN to access this site, and to progress further, you should change your connectivity to another mobile device or PC).
Search for further Jobs Here:
×