Job Description
Company Description
We’re Checkout.com. You might not know our name, but companies like eBay, Spotify, Klarna, Uber, and Sony do, because we’re behind many of the digital experiences you use every day.
We are where the world checks out, enabling over 10 billion transactions daily for more than one billion global shoppers.
Whether you want to book a holiday, order food, renew a subscription, or check out online, there’s a good chance our tech powers the payments behind the scenes. Our platform helps the most ambitious businesses deliver effortless digital experiences, at scale.
If you want to do career-defining work, you’ve come to the right place. We move fast, think globally, and believe great teams are built by hiring exceptional people with conviction, curiosity, and the desire to make an impact.
With 20 offices across six continents and London as our HQ, we’re shaping the future of fintech – and we’re just getting started.
The Role
As an Information Security Analyst II within the GRC team, you will take meaningful ownership of Checkout.com's governance, risk and compliance programmes. This is a role for someone who has moved beyond task execution and is ready to drive workstreams, lead compliance activities, and act as a trusted point of contact for internal teams and external assessors.
You will work across Checkout's core compliance frameworks including PCI DSS v4.0.1, ISO 27001, SOC 2, and emerging regulatory obligations such as DORA and the EU AI Act, supporting our global footprint across Europe, MENA, APAC, and the Americas. You will coordinate audit evidence activities, conduct risk assessments, improve GRC processes, and support the development of junior colleagues.
This role sits at the heart of how Checkout manages risk. We don't just audit and report. We own the risk narrative, drive the control environment, and ensure the business can grow with confidence in regulated markets worldwide.
How You'll Make an Impact
Governance, Risk and Compliance Programme Management
Own and manage defined workstreams within Checkout's GRC programme, including PCI DSS v4.0.1, ISO 27001, SOC 2, and relevant regulatory obligations across our global licensed entities.
Coordinate control evidence collection activities across internal teams, ensuring continuous audit readiness rather than point-in-time preparation.
Maintain and improve GRC documentation including policies, standards, procedures, and control matrices, ensuring they stay current and proportionate to Checkout's evolving risk profile.
Perform gap analyses against new or evolving requirements including DORA and the EU AI Act, translating findings into prioritised remediation plans.
Support monitoring of the risk register, track remediation activity against agreed timelines, and escalate issues where commitments are at risk.
Conduct third-party risk assessments, evaluating supplier security controls and compliance posture in line with Checkout's TPRM framework.
Audit and Assessment Support
Act as a key liaison between internal teams and external auditors, QSAs, and assessors across PCI DSS, ISO 27001, IT General Controls (ITGCs) and SOC 2 certification cycles.
Prepare and deliver evidence packages, coordinate walkthroughs, and manage audit findings through to closure.
Support end-to-end response process for merchant assurance questionnaires and due diligence inquiries, ensuring all technical and regulatory queries are addressed with accuracy and within agreed SLAs.
Support quarterly and annual compliance activities including vulnerability scanning, penetration testing coordination, access reviews, and firewall configuration reviews.
Policy, Controls and Regulatory Coverage
Apply working knowledge of PCI DSS v4.0.1, ISO 27001/27002, SOC 2, DORA, NIST CSF, and other applicable frameworks to day-to-day GRC work.
Support meeting regulatory change across Checkout's operating markets including FCA/PRA requirements and payment scheme obligations, flagging gaps and supporting impact assessments.
Proactively identify inefficiencies in GRC processes and propose practical improvements, including automation where viable.
Contribute to the development and refinement of GRC tooling, dashboards, and reporting to improve visibility of risk and compliance posture across the business.
Stakeholder Engagement and Mentoring
Work closely with Engineering, Product, Legal, Procurement, and Finance to embed security and compliance requirements into processes, systems, and projects.
Respond to PCI DSS, ISO 27001, and broader security-related due diligence requests from merchants, partners, and regulators.
Provide guidance and day-to-day support to junior analysts (L1 and L2), contributing to their development through knowledge sharing and review.
Promote a security-first culture across Checkout through proactive engagement, awareness sessions, and accessible guidance for non-security teams.
What We're Looking For
Experience
2 to 4 years of experience in GRC, information security compliance, IT audit, or a closely related function, ideally within payments, financial services, or fintech.
Practical working knowledge of PCI DSS (v4.0.1 preferred), ISO 27001, and SOC 2. Familiarity with DORA, NIST CSF, or the EU AI Act is a plus.
Experience supporting or directly managing external audits and assessments, including evidence collation and assessor liaison.
Demonstrated ability to own a programme workstream independently, from planning through to delivery.
Well-versed in risk management processes include risk identification, third-party risk management and merchant due diligence.
Skills and Approach
Clear written and verbal communication. You can translate a compliance requirement or risk finding for a technical team and a business stakeholder with equal clarity.
Analytical and process-oriented mindset. You look for root causes, not just point-in-time fixes.
Comfortable operating with ambiguity. You can prioritise and structure your work without every requirement being fully defined upfront.
Methodical and well-organised, with strong attention to detail and a consistent track record of delivering on commitments.
Collaborative and pragmatic. You understand that security and compliance must work with the business, not against it.
Preferred
CISA, CISM, PCIP, ISO 27001 Lead Implementer or Auditor, or equivalent certification.
Familiarity with cloud environments (AWS, Azure, GCP) in a GRC or compliance context.
Experience with GRC tooling, risk platforms, or compliance automation.
Exposure to AI governance frameworks such as ISO 42001, EU AI Act, or NIST AI RMF.
Hybrid Working Model
All of our offices globally are onsite three times per week (Tuesday, Wednesday, and Thursday). We've worked towards enabling teams to work collaboratively in the same space while also being able to partner with colleagues globally. During your days at the office, we offer great snacks, breakfast, and lunch options in all of our locations.
Additional Information
Bring all of you to work
We create the conditions for high performers to thrive, through real ownership, fewer blockers, and work that makes a difference from day one.
Here, you’ll move fast, take on meaningful challenges, and be recognized for the impact you deliver. It’s a place where ambition gets met with opportunity, and where your growth is in your hands.
We work as one team, and we back each other to succeed. So whatever your background or identity, if you’re ready to grow and make a difference, you’ll be right at home here.
It’s important we set you up for success and make our process as accessible as possible. So let us know in your application, or tell your recruiter directly, if you need anything to make your experience or working environment more comfortable.
Life at Checkout.com
We understand that work is just one part of your life. Our hybrid working model offers flexibility, with three days per week in the office to support collaboration and connection.
Curious about what it’s like to be part of our team? Visit our Careers Page to learn more about our culture, open roles, and what drives us.
For a closer look at daily life at Checkout.com, follow us on LinkedIn and Instagram