Job Description

Nordstrom is looking for a technically deep PCI SME who thrives at the intersection of hands-on payment security work and program building. You’ll own our PCI DSS v4.0 compliance program end-to-end — from scoping and evidence collection through control testing and QSA coordination — while simultaneously building the operational backbone (processes, tooling, documentation) that keeps the program humming year-round, not just during assessment season.

You’re the person who knows what’s in scope. When an engineer asks “does this new microservice touch the CDE?” or a product manager wants to know if their new payment flow creates PCI exposure, you’re the one they come to — and you give them a real answer, not a “it depends, let me escalate.”

You’ll also be a go-to resource and mentor for the other compliance analysts on the team. You won’t manage anyone’s performance reviews, but your PCI expertise will help level everyone up — answering questions, reviewing their work, and making sure the team speaks PCI fluently.

If you get a little too excited about data flow diagrams, have strong opinions about network segmentation, and have ever caught a scoping error that saved your company a world of pain — keep reading.

A Day in the Life

Own the PCI Program (for real)

**Drive the full PCI DSS v4.0 compliance lifecycle: **scoping, gap assessment, evidence collection, control testing, and annual QSA coordination. You’re not handing this off — you’re running it.
**Build and maintain the CDE asset inventory **— network segmentation docs, data flow diagrams, system component registers — across on-premises and cloud. If it touches cardholder data, you know about it.
**Design and run the periodic control testing program: **scheduling, evidence requests, test procedures, exception tracking, and remediation follow-up. Assessment season should feel like a victory lap, not a fire drill.
**Write the policies, procedures, RACIs, and runbooks **that make the program sustainable — so it doesn’t fall apart when you take a vacation.
**Track findings, owners, and milestones in the GRC platform **and surface the right KPIs and KRIs (open findings age, control test pass rates, inventory coverage) so leadership always knows where things stand.

Be the Scoping Expert in the Room

**Lead scoping conversations with engineering and infrastructure teams **to define CDE boundaries in hybrid on-prem/cloud environments (AWS, Azure, GCP) — and back up your decisions with solid documentation.
**Review architecture changes, new products, and vendor integrations before they ship **so PCI surprises happen in a design doc, not during QSA fieldwork.
**Spot de-scoping opportunities **— whether it’s segmentation, tokenization, or P2PE — and partner with engineering to get them implemented.
**Dig into network diagrams, cloud configs, and data flow docs **to validate scope and find the undocumented CHD flows before the QSA does.
**Translate PCI requirements into concrete specs for engineers: **what Req 6 means for their CI/CD pipeline, what Req 8 means for their IAM setup, what Req 10 means for their logging architecture.

Test Controls, Collect Evidence, Repeat

**Actually test technical controls **— firewall rule reviews, patch compliance, access reviews, log configurations, encryption assessments. You’re not just reviewing screenshots someone else took.
**Build a reusable testing library: **documented test procedures for every in-scope Requirement, so each cycle gets more efficient, not more chaotic.
**Collect and validate evidence to QSA standards **— complete, timestamped, traceable to specific sub-requirements. Future you will thank present you.
**Run the evidence request workflow with control owners **so the week before QSA fieldwork isn’t a full-team emergency.

Own the QSA Relationship

**Be the primary day-to-day QSA contact: **coordinate fieldwork, manage document requests, and run walkthroughs with technical teams so engineers aren’t getting cold-called by assessors.
**Defend scoping decisions, present compensating controls, and represent Nordstrom’s compliance posture **with confidence — because you built the program and you know it inside out.
**Manage acquiring bank and payment brand relationships **around compliance status, SAQ applicability, and AOC delivery.

Level Up the Team

**Be the PCI go-to for the compliance team: **answer the hard questions, review work products, and help other analysts build their PCI knowledge over time.
**Embed with engineering, DevOps, and product teams **as a trusted advisor — show up to design reviews, join sprint ceremonies when it matters, be the person who makes PCI feel less scary.
**Educate stakeholders on PCI obligations and v4.0 changes **in language that actually lands, whether you’re talking to a network engineer or a VP.
**Partner with the broader GRC team **to spot control overlaps with SOX, HIPAA, and other frameworks and contribute to a Common Control Framework.

You’re the One If You Have…

PCI Experience That Goes Beyond the Checkbox

**6–8 years of hands-on PCI DSS compliance experience, **with at least 3 years owning or co-owning a PCI program at a merchant, payment processor, or service provider.
**A track record of building PCI programs from scratch: **asset inventory processes, control testing schedules, evidence libraries, and operational procedures — not inheriting a fully-built program and maintaining it.
**Deep working knowledge of PCI DSS v4.0 **across all 12 Requirements, including the technical requirements for network security, cryptography, access control, logging, and secure development.
**Real scoping experience in hybrid on-premises and cloud environments, **including formal documentation of scoping rationale you’ve had to defend to a QSA.
**Hands-on control testing chops: **you’ve reviewed firewall rules, validated patch compliance, run access reviews, and checked log configs yourself — not just reviewed evidence others collected.
**QSA coordination experience: **you’ve been in the room (or on the call) managing document requests, running walkthroughs, and answering the hard questions.

Technical Fluency

**You can read a network diagram and spot a scoping problem **— VLANs, DMZs, firewall rule sets, and cloud VPC/security group configs aren’t intimidating to you.
**Cloud familiarity in at least one major platform (AWS, Azure, GCP) **as it applies to PCI scoping and control requirements.
**You can confidently participate in technical conversations **as Nordstrom’s PCI SME.
**You know your tokenization **and can explain how each affects CDE scope without reading from a slide.
**Comfortable with vulnerability management and patch compliance processes **as required under PCI DSS Requirement 6.
**You can read technical docs — network diagrams, data flow diagrams, system configs, audit logs — **and extract what you need to make a compliance call.

The Soft Stuff That’s Actually Hard

**You’re a player-coach: **you’re doing hands-on work and helping others do theirs better — without needing a management title to have influence.
**You can translate PCI-speak into plain English for engineers, **and technical risk into business language for leadership. Both directions, fluently.
**You’re comfortable pushing back **when a proposed design creates PCI risk — and you come with alternatives, not just objections.
**You’re organized enough to juggle inventory, testing, remediation, and QSA prep simultaneously **without dropping things or waiting to be told what to do next.
**You’ve used a GRC platform **(ServiceNow, Archer, Drata, Vanta, or similar) to track findings and evidence — and you have opinions about how it should be configured.

Education

**Bachelor’s degree in Information Technology, Computer Science, Cybersecurity, or a related field, **or equivalent experience doing the actual work.

Bonus Points

**PCI ISA certification **or active QSA qualification — this is a big one.
**Additional certifications: **CISA, CISSP, CRISC, or cloud security certs (AWS Security Specialty, CCSK).
**Retail, e-commerce, or hospitality experience **with complex, multi-channel cardholder data environments.
**Familiarity with other frameworks **(SOX ITGC, HIPAA, CCPA) and experience contributing to a Common Control Framework.
**GRC platform implementation or configuration experience, **including building control libraries and evidence workflows.
**PCI consulting or QSA firm background. **You’ve seen a lot of programs — good and bad — and know what works.

Pay Range Details

The pay range(s) below has been provided in compliance with state specific laws. Pay ranges may be different for other locations. Pay offers are dependent on the location, as well as job-related knowledge, skills, and experience.

$166,000.00 - $258,000.00 Annual

We’ve got you covered…

Our employees are our most important asset and that’s reflected in our benefits. Nordstrom is proud to offer a variety of benefits to support employees and their families, including:

Medical/Vision, Dental, Retirement and Paid Time Away
Life Insurance and Disability
Merchandise Discount and EAP Resources

This position may be eligible for performance-based incentives/bonuses. Benefits include 401k, medical/vision/dental/life/disability insurance options, PTO accruals, Holidays, and more. Eligibility requirements may apply based on location, job level, classification, and length of employment. Learn more in the Nordstrom Benefits Overview by copying and pasting the following URL into your browser: https://careers.nordstrom.com/pdfs/Ben_Overview_17-19.pdf

A few more important points...

The job posting highlights the most critical responsibilities and requirements of the job. It’s not all-inclusive. There may be additional duties, responsibilities and qualifications for this job.

For Los Angeles or San Francisco applicants: Nordstrom is required to inform you that we conduct background checks after conditional offer and consider qualified applicants with criminal histories in a manner consistent with legal requirements per Los Angeles, Cal. Muni. Code 189.04 and the San Francisco Fair Chance Ordinance. For additional state and location specific notices, please refer to the Legal Notices document within the FAQ section of the Nordstrom Careers site.

Applicants with disabilities who require assistance or accommodation should contact the nearest Nordstrom location, which can be identified at www.nordstrom.com.

Please be mindful that there may be legal notices and requirements related to this job posting that are specific to your state. Review the Career Site FAQ’s for relevant information and guidelines.

Current Nordstrom employees: To apply, log into Workday, click the Careers button and then click Find Jobs.

Nordstrom keeps job postings open for at least one day after the posting date.

Job Description

A Day in the Life

Own the PCI Program (for real)

**Drive the full PCI DSS v4.0 compliance lifecycle: **scoping, gap assessment, evidence collection, control testing, and annual QSA coordination. You’re not handing this off — you’re running it.
**Build and maintain the CDE asset inventory **— network segmentation docs, data flow diagrams, system component registers — across on-premises and cloud. If it touches cardholder data, you know about it.
**Design and run the periodic control testing program: **scheduling, evidence requests, test procedures, exception tracking, and remediation follow-up. Assessment season should feel like a victory lap, not a fire drill.
**Write the policies, procedures, RACIs, and runbooks **that make the program sustainable — so it doesn’t fall apart when you take a vacation.
**Track findings, owners, and milestones in the GRC platform **and surface the right KPIs and KRIs (open findings age, control test pass rates, inventory coverage) so leadership always knows where things stand.

Be the Scoping Expert in the Room

**Lead scoping conversations with engineering and infrastructure teams **to define CDE boundaries in hybrid on-prem/cloud environments (AWS, Azure, GCP) — and back up your decisions with solid documentation.
**Review architecture changes, new products, and vendor integrations before they ship **so PCI surprises happen in a design doc, not during QSA fieldwork.
**Spot de-scoping opportunities **— whether it’s segmentation, tokenization, or P2PE — and partner with engineering to get them implemented.
**Dig into network diagrams, cloud configs, and data flow docs **to validate scope and find the undocumented CHD flows before the QSA does.
**Translate PCI requirements into concrete specs for engineers: **what Req 6 means for their CI/CD pipeline, what Req 8 means for their IAM setup, what Req 10 means for their logging architecture.

Test Controls, Collect Evidence, Repeat

**Actually test technical controls **— firewall rule reviews, patch compliance, access reviews, log configurations, encryption assessments. You’re not just reviewing screenshots someone else took.
**Build a reusable testing library: **documented test procedures for every in-scope Requirement, so each cycle gets more efficient, not more chaotic.
**Collect and validate evidence to QSA standards **— complete, timestamped, traceable to specific sub-requirements. Future you will thank present you.
**Run the evidence request workflow with control owners **so the week before QSA fieldwork isn’t a full-team emergency.

Own the QSA Relationship

**Be the primary day-to-day QSA contact: **coordinate fieldwork, manage document requests, and run walkthroughs with technical teams so engineers aren’t getting cold-called by assessors.
**Defend scoping decisions, present compensating controls, and represent Nordstrom’s compliance posture **with confidence — because you built the program and you know it inside out.
**Manage acquiring bank and payment brand relationships **around compliance status, SAQ applicability, and AOC delivery.

Level Up the Team

**Be the PCI go-to for the compliance team: **answer the hard questions, review work products, and help other analysts build their PCI knowledge over time.
**Embed with engineering, DevOps, and product teams **as a trusted advisor — show up to design reviews, join sprint ceremonies when it matters, be the person who makes PCI feel less scary.
**Educate stakeholders on PCI obligations and v4.0 changes **in language that actually lands, whether you’re talking to a network engineer or a VP.
**Partner with the broader GRC team **to spot control overlaps with SOX, HIPAA, and other frameworks and contribute to a Common Control Framework.

You’re the One If You Have…

PCI Experience That Goes Beyond the Checkbox

**6–8 years of hands-on PCI DSS compliance experience, **with at least 3 years owning or co-owning a PCI program at a merchant, payment processor, or service provider.
**A track record of building PCI programs from scratch: **asset inventory processes, control testing schedules, evidence libraries, and operational procedures — not inheriting a fully-built program and maintaining it.
**Deep working knowledge of PCI DSS v4.0 **across all 12 Requirements, including the technical requirements for network security, cryptography, access control, logging, and secure development.
**Real scoping experience in hybrid on-premises and cloud environments, **including formal documentation of scoping rationale you’ve had to defend to a QSA.
**Hands-on control testing chops: **you’ve reviewed firewall rules, validated patch compliance, run access reviews, and checked log configs yourself — not just reviewed evidence others collected.
**QSA coordination experience: **you’ve been in the room (or on the call) managing document requests, running walkthroughs, and answering the hard questions.

Technical Fluency

**You can read a network diagram and spot a scoping problem **— VLANs, DMZs, firewall rule sets, and cloud VPC/security group configs aren’t intimidating to you.
**Cloud familiarity in at least one major platform (AWS, Azure, GCP) **as it applies to PCI scoping and control requirements.
**You can confidently participate in technical conversations **as Nordstrom’s PCI SME.
**You know your tokenization **and can explain how each affects CDE scope without reading from a slide.
**Comfortable with vulnerability management and patch compliance processes **as required under PCI DSS Requirement 6.
**You can read technical docs — network diagrams, data flow diagrams, system configs, audit logs — **and extract what you need to make a compliance call.

The Soft Stuff That’s Actually Hard

**You’re a player-coach: **you’re doing hands-on work and helping others do theirs better — without needing a management title to have influence.
**You can translate PCI-speak into plain English for engineers, **and technical risk into business language for leadership. Both directions, fluently.
**You’re comfortable pushing back **when a proposed design creates PCI risk — and you come with alternatives, not just objections.
**You’re organized enough to juggle inventory, testing, remediation, and QSA prep simultaneously **without dropping things or waiting to be told what to do next.
**You’ve used a GRC platform **(ServiceNow, Archer, Drata, Vanta, or similar) to track findings and evidence — and you have opinions about how it should be configured.

Education

**Bachelor’s degree in Information Technology, Computer Science, Cybersecurity, or a related field, **or equivalent experience doing the actual work.

Bonus Points

**PCI ISA certification **or active QSA qualification — this is a big one.
**Additional certifications: **CISA, CISSP, CRISC, or cloud security certs (AWS Security Specialty, CCSK).
**Retail, e-commerce, or hospitality experience **with complex, multi-channel cardholder data environments.
**Familiarity with other frameworks **(SOX ITGC, HIPAA, CCPA) and experience contributing to a Common Control Framework.
**GRC platform implementation or configuration experience, **including building control libraries and evidence workflows.
**PCI consulting or QSA firm background. **You’ve seen a lot of programs — good and bad — and know what works.

Pay Range Details

$166,000.00 - $258,000.00 Annual

We’ve got you covered…

Our employees are our most important asset and that’s reflected in our benefits. Nordstrom is proud to offer a variety of benefits to support employees and their families, including:

Medical/Vision, Dental, Retirement and Paid Time Away
Life Insurance and Disability
Merchandise Discount and EAP Resources

A few more important points...

The job posting highlights the most critical responsibilities and requirements of the job. It’s not all-inclusive. There may be additional duties, responsibilities and qualifications for this job.

Applicants with disabilities who require assistance or accommodation should contact the nearest Nordstrom location, which can be identified at www.nordstrom.com.

Please be mindful that there may be legal notices and requirements related to this job posting that are specific to your state. Review the Career Site FAQ’s for relevant information and guidelines.

Current Nordstrom employees: To apply, log into Workday, click the Careers button and then click Find Jobs.

Nordstrom keeps job postings open for at least one day after the posting date.

Senior Technical Pci Analyst (hybrid - Seattle)

What you'd actually do

Skills

Required

Nice to have

What the JD emphasized

Job Description

A Day in the Life

Own the PCI Program (for real)

Be the Scoping Expert in the Room

Test Controls, Collect Evidence, Repeat

Own the QSA Relationship

Level Up the Team

You’re the One If You Have…

PCI Experience That Goes Beyond the Checkbox

Technical Fluency

The Soft Stuff That’s Actually Hard

Education

Bonus Points

Job Description

A Day in the Life

Own the PCI Program (for real)

Be the Scoping Expert in the Room

Test Controls, Collect Evidence, Repeat

Own the QSA Relationship

Level Up the Team

You’re the One If You Have…

PCI Experience That Goes Beyond the Checkbox

Technical Fluency

The Soft Stuff That’s Actually Hard

Education

Bonus Points