Company Description
We’re Checkout.com. You might not know our name, but companies like eBay, Spotify, Klarna, Uber, and Sony do, because we’re behind many of the digital experiences you use every day.
We are where the world checks out, enabling over 10 billion transactions yearly for more than one billion global shoppers.
Whether you want to book a holiday, order food, renew a subscription, or check out online, there’s a good chance our tech powers the payments behind the scenes. Our platform helps the most ambitious businesses deliver effortless digital experiences, at scale.
If you want to do career-defining work, you’ve come to the right place. We move fast, think globally, and believe great teams are built by hiring exceptional people with conviction, curiosity, and the desire to make an impact.
With 20 offices across six continents and London as our HQ, we’re shaping the future of fintech – and we’re just getting started.
The Role
As a Senior Information Security Analyst within the GRC team, you will lead the strategic and technical execution of Checkout.com's governance, risk and compliance programme. This is a role for a seasoned GRC professional who brings deep expertise across regulatory compliance, enterprise risk management, and security governance — and who can operate with full autonomy while shaping how the function evolves.
You will take ownership of Checkout's most complex and high-stakes compliance programmes — PCI DSS v4.0.1, ISO 27001, SOC 2, DORA, and emerging obligations across our global licensed entities — while providing expert guidance to engineering, product, legal, and compliance teams on the security requirements that underpin our ability to operate and grow in regulated markets worldwide.
At L4, you are a trusted advisor. You do not just manage compliance — you set the direction for it. You define how risk is identified, assessed, and treated. You advise on product and infrastructure decisions from a risk perspective. You mentor and develop junior and mid-level analysts. And you work closely with security leadership to ensure the GRC programme is aligned to the business's strategic objectives and risk appetite.
Your influence extends well beyond the GRC team. You help shape the security culture at Checkout, driving a risk-aware mindset across the business through clear communication, pragmatic guidance, and expert leadership.
How You'll Make An Impact
GRC Programme Leadership
- Lead defined sub-areas of Checkout's GRC programme end-to-end, including PCI DSS v4.0.1, ISO 27001, SOC 2, and regulatory obligations across Europe, MENA, APAC, and the Americas.
- Define how control evidence is collected and maintained, moving the function toward continuous audit readiness and away from point-in-time preparation.
- Own and drive improvements to GRC documentation including policies, standards, procedures, and control matrices — ensuring they reflect Checkout's evolving risk profile and regulatory obligations.
- Lead gap analyses against new and evolving requirements, including DORA ICT risk obligations and the EU AI Act, producing prioritised remediation roadmaps with clear business impact framing.
- Own the risk register for your sub-area, managing risk treatment through to closure and escalating to leadership where risk appetite may be exceeded.
- Define and refine Checkout's third-party risk management approach for high-risk and critical vendors, setting assessment standards and overseeing their consistent application.
- Drive continual improvement of the GRC programme itself — regularly assessing programme maturity, identifying process inefficiencies, and implementing improvements to how risk is identified, assessed, treated, and reported across the business.
Audit and Assessment Leadership
- Serve as the primary point of contact for external auditors, QSAs, and regulatory assessors across PCI DSS, ISO 27001, SOC 2, and ITGC audit cycles.
- Demonstrated experience implementing ISO management system standards end-to-end, covering initial scoping and gap assessment through control design, policy development, internal audit programme, and certification – ideally across more than one standard.
- Lead end-to-end audit delivery — scoping, evidence preparation, walkthrough facilitation, finding management, and formal closure.
- Own the end-to-end response process for complex merchant assurance and regulatory due diligence requests, ensuring Checkout's compliance posture is presented accurately and persuasively.
- Lead quarterly and annual compliance activities including vulnerability scanning coordination, penetration testing programmes, access reviews, and firewall configuration assurance.
Policy, Controls and Regulatory Strategy
- Apply expert knowledge of PCI DSS v4.0.1, ISO 27001/27002, SOC 2, DORA, NIST CSF, and related frameworks to drive control design, policy development, and compliance strategy.
- Advise product and engineering teams on compliance requirements at the point of design, embedding regulatory obligations into architecture decisions and development workflows.
- Lead Checkout's regulatory change management activities — monitoring the evolving landscape across financial services, data protection, and AI regulation, assessing business impact, and driving remediation programmes.
- Identify and drive systemic improvements to GRC processes, including automation opportunities that improve programme efficiency and evidence quality.
- Contribute to the design and development of GRC tooling, dashboards, and risk reporting to improve leadership visibility of Checkout's compliance and risk posture.
Stakeholder Influence and Team Development
- Act as a senior trusted advisor to Engineering, Product, Legal, Finance, Procurement, and Compliance on all GRC matters, communicating risk in business terms that drive informed decisions.
- Represent the GRC function in cross-functional forums, governance committees, and regulatory discussions, influencing decisions that affect Checkout's risk posture.
- Mentor and develop junior and mid-level GRC analysts (L1–L3), raising the capability of the team through structured knowledge sharing, review, and coaching.
- Promote a security-first culture across Checkout through proactive engagement, executive-level reporting, and accessible guidance that empowers non-security teams to make good risk decisions.
What We're Looking For:
Experience
- 5 or more years of experience in GRC, information security compliance, IT audit, or a closely related function, ideally within payments, financial services, or fintech.
- Deep working knowledge of PCI DSS (v4.0.1 required), ISO 27001, and SOC 2. Practical experience with DORA, NIST CSF, the EU AI Act, or FCA/PRA obligations is strongly preferred.
- Demonstrated track record of leading external audits and regulatory assessments end-to-end, including managing assessor relationships and driving findings to closure.
- Proven ability to own and deliver complex GRC programme workstreams independently, including gap analyses, risk treatment programmes, and regulatory change initiatives.
- Experience advising engineering and product teams on compliance requirements, with the ability to translate regulatory obligations into practical, proportionate controls.
- Track record of developing and mentoring less experienced colleagues.
Skills and Approach
- Expert written and verbal communication. You can frame complex regulatory and risk issues for a technical audience, a business stakeholder, and executive leadership — and adapt your style to drive the right outcome in each context.
- Strategic and analytical thinker. You see beyond individual findings and controls to understand systemic risk patterns, root causes, and the broader implications for the business.
- Decisive under ambiguity. You can set direction and make sound judgement calls on prioritisation and risk treatment without waiting for perfect information.
- Highly collaborative and influential. You understand that compliance must be embedded across the business, and you build the relationships and credibility needed to make that happen.
- Pragmatic and outcome-focused. You design controls and processes that are proportionate to risk and workable in practice, not just theoretically sound.
Preferred
- CISA, CISM, CISSP, PCIP, ISO 27001 Lead Implementer or Lead Auditor, or equivalent advanced certification.
- Familiarity with cloud environments (AWS, Azure, GCP) at an architecture or control level.
- Experience with AI governance frameworks such as ISO 42001, the EU AI Act, or NIST AI RMF.
- Experience designing or implementing GRC tooling, risk platforms, or compliance automation solutions.
- Background in a Big Four advisory, payments scheme, or regulatory environment is advantageous.
Additional Information
Bring all of you to work
We create the conditions for high performers to thrive, through real ownership, fewer blockers, and work that makes a difference from day one.
Here, you’ll move fast, take on meaningful challenges, and be recognized for the impact you deliver. It’s a place where ambition gets met with opportunity, and where your growth is in your hands.
We work as one team, and we back each other to succeed. So whatever your background or identity, if you’re ready to grow and make a difference, you’ll be right at home here.
It’s important we set you up for success and make our process as accessible as possible. So let us know in your application, or tell your recruiter directly, if you need anything to make your experience or working environment more comfortable.
Life at Checkout.com
We understand that work is just one part of your life. Our hybrid working model offers flexibility, with three days per week in the office to support collaboration and connection.
Curious about what it’s like to be part of our team? Visit our Careers Page to learn more about our culture, open roles, and what drives us.
For a closer look at daily life at Checkout.com, follow us on LinkedIn and Instagram