tripactions
PCI & SOX Compliance Specialist
London, UKLegalposted 0d ago
About the role
The Security Compliance Analyst will be a critical, hands-on member of the Navan Governance, Risk, Compliance, and Trust (GRCT) Team, specifically embedded in London to drive the compliance integration between Navan and Reed & Mackay.
This is not a high-level policy writing or checking boxes role. We are looking for an active, execution-focused compliance professional to untangle legacy systems, map control deficiencies, and run daily operational workflows. Acting as a decisive bridge between engineering sprint teams, IT infrastructure, and US-based external auditors, you will own the day-to-day transaction compliance and technical evidence pipeline that keeps our global travel and expense platforms bulletproof.
What You’ll Do
- Own Vulnerability Remediation Loops: Actively track and oversee quarterly PCI ASV scans and penetration testing cycles, collaborating directly with IT and engineering teams to ensure patches are executed within strict SLA windows.
- Lead the Integration Pipeline: Conduct continuous gap analyses and map security controls as we merge legacy travel infrastructure into Navan's modern cloud frameworks.
- Drive SOX 404 Controls: Take ownership of testing and validating IT General Controls (ITGCs) under Sarbanes-Oxley Section 404, with a heavy emphasis on access control management (Joiners/Movers/Leavers) and secure code deployment.
- Embed with Engineering: Partner with development teams to automate manual evidence gathering, translating rigid compliance jargon into clear, actionable JIRA tickets.
- Collaborate Globally: Partner closely with US-based audit firms and compliance bodies. This includes a flexible schedule to work late hours (until 9:00 PM–10:00 PM) a few days per month on specific US alignment days.
- Track Open Deficiencies: Manage the risk register and remediation tracking lifecycle from initial identification to final verification and closure.
What We’re Looking For
- Experience: Minimum of 3+ years of hands-on, corporate operational experience in information security compliance. You must have active experience sitting on a corporate security or IT team—purely academic, training, or governmental advisory backgrounds will not fit the speed of this role.
- PCI & SOX Technical Depth: Proved, practical exposure executing compliance frameworks for transactional environments. You must understand Section 404 ITGCs and the technical mechanics of PCI DSS (including cardholder data protection environments and SAQs).
- Tools & Systems Mastery: Comfortable navigating tracking platforms such as JIRA, ServiceNow GRC, or AuditBoard to monitor, assign, and resolve open compliance findings.
- A Technical Edge: A baseline technical background (e.g., computer science, systems administration, or IT support) that allows you to confidently push back on or guide engineers during patch cycles.
- Location & Hours Flexibility: Willingness to work under a hybrid model out of our London office (4 days a week) and the routine flexibility needed to support monthly evening shifts for US team synchronization.
- Language requirements: Full proficiency in English.
- Bonus Points: Certifications such as CompTIA Security+ or ISO 27001 Internal Auditor.