US Base Salary Range: $139,991 - $174,009

About Us

Bonterra exists to propel every doer of good to their peak impact. We measure that impact against our vision to increase the giving rate as a percentage of GDP from 2% to 3% by 2033. We know that this goal is lofty, but we are confident that the right technology and expertise will strengthen trust in the sector, allowing the social good industry to accelerate growth and reach peak impact. Bonterra's differentiated, end-to-end solutions collectively support a unique network of over 20,000 customers, including over 16,000 nonprofit organizations and over 50 percent of Fortune 100 companies. Learn more at bonterratech.com.

About the Role

Bonterra’s Information Security, Risk & Compliance team is hiring a Lead PCI Compliance Analyst to own our PCI DSS Level 1 certification program, partner with Engineering on PCI security by design, and serve as a senior risk analyst within the Risk function. This role works horizontally across the company, advising engineering and product teams during the design phase of greenfield payment work, leading response and coordination for PCI Level 1 events, and extending PCI risk analysis to cover AI components introduced into payment systems. It sits at the border of compliance and engineering, requiring fluency in both control design and technical architecture, and supports related frameworks such as ISO 27001:2022 and SOC reporting.

Job Responsibilities:

• Own end to end PCI DSS Level 1 readiness, certification activities, and coordination with QSA assessors

• Advise Engineering and Product teams during the design phase on PCI control selection, scope containment, and security by design patterns for both greenfield and modernization payment architectures, with depth across the following engineering disciplines:

  • Tokenization architecture: tradeoffs between vault based and vaultless tokenization, format preserving encryption, scope reduction analysis, and the downstream impact on application code paths, storage layers, and integration points with acquirers and processors

  • Cardholder data environment network segmentation: VLAN and microsegmentation strategies, service mesh policy enforcement, ingress and egress controls, jump host and bastion design, and segmentation validation testing under PCI DSS v4.0.1 Requirement 11.4.5

  • Cryptographic key management: HSM and cloud KMS architecture, FIPS validated cryptographic module selection, key hierarchy and envelope encryption, key rotation cadence, and separation of duties for key custodians under Requirements 3.6 and 3.7

  • Secure SDLC and threat modeling for payment flows: STRIDE and PASTA modeling of authorization, capture, and settlement paths, SAST, DAST, and SCA gating, secrets scanning, and software supply chain controls including SBOM generation, signed artifacts, and build provenance

  • Logging, monitoring, and file integrity: append only audit logs with cryptographic integrity, file integrity monitoring across ephemeral and containerized workloads, and centralized log aggregation with PCI specific correlation rules under Requirement 10

• Lead and manage response to PCI Level 1 events, including investigation, evidence preservation, control failure analysis, executive communications, regulator and brand notifications where applicable, and remediation oversight through closeout

• Serve as a Senior Risk Analyst within the Risk function, conducting in depth risk analysis on PCI security by design questions and on AI components embedded within payment systems (including model inference, prompt and data flows touching cardholder data, retrieval pipelines, and third party AI services entering PCI scope)

• Drive greenfield workstreams that establish new PCI controls, scope boundaries, or architectural patterns rather than only maintaining existing ones

• Partner with Product Security on modernization initiatives that reduce PCI scope and improve control design

• Maintain scope documentation, evidence, and operational reports for PCI controls

• Manage issues, exceptions, compensating controls, and risk acceptance tracking with timely remediation

• Align PCI evidence and controls with ISO 27001 and SOC frameworks to streamline reporting

• Support audits, vendor assessments, and customer due diligence requests related to PCI

• Maintain compliance ticket queues, supplier and control registers, and awareness activities

• Collaborate with Information Security, Risk & Compliance team members and control owners companywide

Requirements

• 7 or more years of PCI DSS program management experience with direct involvement in Level 1 merchant or service provider assessments under DSS v4.0.1

• Demonstrated experience advising engineering teams during the design phase, translating PCI requirements into architectural and implementation guidance engineers can execute against, including for greenfield builds at the border of compliance and engineering

• Proven track record leading or coordinating PCI Level 1 events end to end, from initial triage through executive reporting, evidence package delivery, and remediation closeout

• Senior risk analyst depth: ability to conduct independent risk analysis at the requirement level and at the architectural level, including scoping determinations, compensating control construction, security by design tradeoffs, and risk acceptance documentation defensible under audit

• Working understanding of AI and machine learning components in payment or cardholder data environments, including how model inference, vector stores, retrieval pipelines, and third party AI services intersect with PCI scope and data flow assumptions

• Experience engaging QSAs from an authoritative posture, substantiating risk positions with documented evidence rather than deferring to QSA interpretation

• Hands on field experience working directly within engineering and infrastructure teams to evaluate control implementation at the technical layer and translate requirements into actionable remediation tasks

• Familiarity with ISO 27001 and cloud native service environments

• Strong analytical, organizational, and communication skills with the ability to produce defensible compliance documentation under audit conditions

• Experience with GRC platforms, ticketing systems, and security tooling (for example SIEM or vulnerability scanners)

• Preferred certifications: PCIP, ISA (prior QSA credential strongly preferred), CISA, CISM, CISSP

At this time, we are unable to consider candidates who require current or future sponsorship for employment authorization.

____________________________________________________________________________________

Our Culture

At Bonterra, we’re innovating with a higher purpose: to increase giving to 3% of US GDP by 2033, creating $573 billion more in global impact every year. At Bonterra, we foster an inclusive, equitable culture where every team member belongs and contributes to meaningful impact. Read more about our values and culture here.

Compensation & Benefits

We offer a comprehensive benefits package that supports your health, well-being and growth - explore full details here.

Compensation and benefits for this role apply to full-time employees in the United States and may vary based on local standards, laws and norms. Pay is determined by location, skills, experience, and education, and is one part of Bonterra’s total rewards package, which may also include bonuses, incentives, equity, and a comprehensive benefits program.

____________________________________________________________________________________

Equal Opportunity & Accommodations

At Bonterra, we are proud to be an Equal Opportunity Employer. We celebrate diversity and are committed to creating an inclusive environment for all employees. We provide equal employment opportunities without regard to race, color, religion, sex (including pregnancy, sexual orientation, or gender identity), national origin, age, disability, veteran status, or any other characteristic protected by law.

If you require a reasonable accommodation during the application process, please submit a request.