Senior Technical PCI Analyst; Hybrid - Seattle

Position: Senior Technical PCI Analyst (Hybrid - Seattle)
Job Description

Nordstrom is looking for a technically deep PCI SME who thrives at the intersection of hands-on payment security work and program building. You'll own our PCI DSS v4.0 compliance program end-to-end - from scoping and evidence collection through control testing and QSA coordination - while simultaneously building the operational backbone (processes, tooling, documentation) that keeps the program humming year-round, not just during assessment season.

You're the person who knows what's in scope. When an engineer asks "does this new microservice touch the CDE?" or a product manager wants to know if their new payment flow creates PCI exposure, you're the one they come to - and you give them a real answer, not a "it depends, let me escalate."

You'll also be a go-to resource and mentor for the other compliance analysts on the team. You won't manage anyone's performance reviews, but your PCI expertise will help level everyone up - answering questions, reviewing their work, and making sure the team speaks PCI fluently.

If you get a little too excited about data flow diagrams, have strong opinions about network segmentation, and have ever caught a scoping error that saved your company a world of pain - keep reading.

A Day in the Life

Own the PCI Program (for real)

* Drive the full PCI DSS v4.0 compliance lifecycle: scoping, gap assessment, evidence collection, control testing, and annual QSA coordination. You're not handing this off - you're running it.

* Build and maintain the CDE asset inventory - network segmentation docs, data flow diagrams, system component registers - across on-premises and cloud. If it touches cardholder data, you know about it.

* Design and run the periodic control testing program: scheduling, evidence requests, test procedures, exception tracking, and remediation follow-up. Assessment season should feel like a victory lap, not a fire drill.

* Write the policies, procedures, RACIs, and runbooks that make the program sustainable - so it doesn't fall apart when you take a vacation.

* Track findings, owners, and milestones in the GRC platform and surface the right KPIs and KRIs (open findings age, control test pass rates, inventory coverage) so leadership always knows where things stand.

Be the Scoping Expert in the Room

* Lead scoping conversations with engineering and infrastructure teams to define CDE boundaries in hybrid on-prem/cloud environments (AWS, Azure, GCP) - and back up your decisions with solid documentation.

* Review architecture changes, new products, and vendor integrations before they ship so PCI surprises happen in a design doc, not during QSA fieldwork.

* Spot de-scoping opportunities - whether it's segmentation, tokenization, or P2PE - and partner with engineering to get them implemented.

* Dig into network diagrams, cloud configs, and data flow docs to validate scope and find the undocumented CHD flows before the QSA does.

* Translate PCI requirements into concrete specs for engineers: what Req 6 means for their CI/CD pipeline, what Req 8 means for their IAM setup, what Req 10 means for their logging architecture.

Test Controls, Collect Evidence, Repeat

* Actually test technical controls - firewall rule reviews, patch compliance, access reviews, log configurations, encryption assessments. You're not just reviewing screenshots someone else took.

* Build a reusable testing library: documented test procedures for every in-scope Requirement, so each cycle gets more efficient, not more chaotic.

* Collect and validate evidence to QSA standards - complete, timestamped, traceable to specific sub-requirements. Future you will thank present you.

* Run the evidence request workflow with control owners so the week before QSA fieldwork isn't a full-team emergency.

Own the QSA Relationship

* Be the primary day-to-day QSA contact: coordinate fieldwork, manage document requests, and run walkthroughs with technical teams so engineers aren't getting cold-called by assessors.

* Defend scoping decisions, present compensating controls, and represent Nordstrom's compliance posture with confidence - because you built the program and you know it inside out.

* Manage acquiring bank and…