Senior GRC Lead, Third-Party Risk & PCI

Location: Bengaluru

The Opportunity
This is a critical, high-visibility role for a seasoned professional focused on protecting our company from supply chain threats and ensuring the security of our payment processing systems. As the domain leader for our Third-Party Risk Management (TPRM) program and PCI DSS 4.0.1 compliance, you'll be on the front lines of our defense. We're looking for a proactive and autonomous professional who can take full ownership of their programs, conduct deep-dive risk analysis, and drive remediation across the organization and with our external partners.

Your work is essential to securing our data and enabling our business to grow safely.

What You Will Do (Key Responsibilities)
As the Senior GRC Analyst for TPRM & PCI, you will be the owner and driver of our vendor security and payment card compliance programs. Your key responsibilities will include:
Own and drive the entire PCI DSS compliance lifecycle, from conducting the annual gap assessment and defining scope to managing the Report on Compliance (ROC) with our Qualified Security Assessor (QSA).
Take full ownership of maturing and operating the end-to-end TPRM lifecycle. This includes refining the vendor risk-tiering methodology, enhancing assessment procedures, and executing the annual risk assessments for all top critical vendors.
Partner with the Senior GRC Analyst, Security Privacy & AI Governance to assess and validate vendor compliance with HIPAA and global data protection requirements.
Act as the primary GRC contact for Procurement, Legal, and business unit owners. You will lead vendor security reviews for new contracts and renewals, ensuring risks are identified and mitigated before agreements are signed.
Own the remediation tracking process for all identified third-party and PCI-related risks. You will work directly with vendors and internal teams to ensure they meet their commitments to close security gaps.
Collaborate with the GRC team by providing evidence and expertise related to vendor controls during our SOC 2 and ISO 27001 audits.
Ensure all significant risks identified through the TPRM and PCI programs are accurately documented, scored, and tracked in the central GRC risk register.

Required Qualifications
A minimum of 6-7 years of direct experience in PCI DSS compliance.
A minimum of 3-4 years in Third-Party Risk Management.
Proven experience leading the PCI DSS compliance lifecycle, including managing relationships with QSAs and driving remediation of complex findings.
A track record of maturing and scaling a formal Third-Party Risk Management program, moving beyond simple assessments to a risk-based, lifecycle approach.
A strong ability to analyze complex vendor security documentation (e.g., SOC 2 reports, security policies, audit reports) to identify and articulate potential risks.
A Bachelor's degree in a relevant field such as Cybersecurity, Information Technology, or Business.

Preferred Qualifications
Active professional certifications are a significant plus. Examples include, CTPRP, CISSP, PCIP, etc.
Experience assessing vendors for compliance with HIPAA or other industry-specific regulations.
Familiarity with reviewing and negotiating security and privacy clauses in vendor contracts.
Hands-on experience with GRC and TPRM platforms (e.g., Vanta, Drata, One Trust, etc.).