Job Description
Company Description
We’re Checkout.com. You might not know our name, but companies like eBay, Spotify, Klarna, Uber, and Sony do, because we’re behind many of the digital experiences you use every day.
We are where the world checks out, enabling over 10 billion transactions daily for more than one billion global shoppers.
Whether you want to book a holiday, order food, renew a subscription, or check out online, there’s a good chance our tech powers the payments behind the scenes. Our platform helps the most ambitious businesses deliver effortless digital experiences, at scale.
If you want to do career-defining work, you’ve come to the right place. We move fast, think globally, and believe great teams are built by hiring exceptional people with conviction, curiosity, and the desire to make an impact.
With 20 offices across six continents and London as our HQ, we’re shaping the future of fintech – and we’re just getting started.
The Role
As an Information Security Analyst II at Checkout.com, you will work across the full breadth of the information security function, spanning Governance, Risk and Compliance (GRC), AI Governance, Application Security (AppSec), Technology Risk, and Data Governance. This is a role for someone who has built solid foundational expertise and is ready to take independent ownership of security initiatives across multiple domains.
Security at Checkout operates at scale and at pace. We are a global payments business, regulated across multiple jurisdictions, building infrastructure that processes billions of transactions. Our security function needs analysts who can think across domains, communicate with engineers and executives alike, and contribute to a security programme that is genuinely embedded in how the business operates.
At L3 you will manage security programmes, lead assessments, drive policy improvements, and mentor junior colleagues. Your primary focus is independent execution with growing influence. You know your domains well enough to spot gaps, propose solutions, and take them through to completion.
How You'll Make an Impact
Governance, Risk and Compliance
Support workstreams within Checkout's GRC programme, including ISO 27001, SOC 2, and relevant regulatory obligations across our global licensed entities.
Coordinate control evidence collection activities across internal teams, ensuring continuous audit readiness rather than point-in-time preparation.
Maintain and improve GRC documentation including policies, standards, procedures, and control matrices, ensuring they stay current and proportionate to Checkout's evolving risk profile.
Monitor the risk register, track remediation activity against agreed timelines, and escalate issues where commitments are at risk.
Conduct third-party risk assessments, evaluating supplier security controls and compliance posture in line with Checkout's TPRM framework.
Track regulatory change across Checkout's operating markets including DORA, FCA/PRA requirements, and payment scheme obligations, flagging gaps and supporting impact assessments.
AI Governance
Support the development and operationalisation of Checkout's AI governance framework, aligned to ISO 42001, the EU AI Act, and NIST AI RMF.
Conduct AI risk assessments for internal AI and ML systems and third-party AI tools, evaluating bias, transparency, data lineage, and control adequacy.
Maintain an inventory of AI use cases and associated risk classifications, working with product and engineering teams to embed governance requirements at the point of design.
Monitor the evolving regulatory landscape for AI in financial services and contribute to policy and control development that keeps Checkout ahead of emerging obligations.
Support Checkout's AI Security programme including threat modelling for agentic and LLM-based systems, and controls mapping against the OWASP LLM Top 10 and related frameworks.
Technology Risk
Conduct technology risk assessments across infrastructure, cloud environments, and third-party systems, producing clear outputs with actionable treatment recommendations.
Support third-party risk management activities, evaluating supplier security controls and compliance posture in line with Checkout's vendor risk framework.
Contribute to control assurance activities including vulnerability scanning coordination, firewall and configuration reviews, and access control assessments.
Monitor Checkout's technology risk landscape, identifying emerging threats and translating them into actionable risk items for the register and leadership reporting.
Support DORA-related ICT risk management obligations, contributing to resilience testing coordination and critical third-party risk assessments.
Data Governance
Support Checkout's data governance programme, including data classification, data flow mapping, and enforcement of data handling standards across the business.
Contribute to data loss prevention (DLP) controls and tooling, working with engineering and product teams to ensure sensitive data is protected throughout its lifecycle.
Assist in maintaining records of processing activities (RoPA) and supporting data protection impact assessments (DPIAs) for new systems and processing activities.
Work with the privacy and legal functions to ensure data governance controls meet GDPR, UK GDPR, and applicable regional data protection requirements.
Promote data governance awareness and good data handling practices across the business, contributing to training and guidance materials for non-technical teams.
Cross-domain Collaboration and Mentoring
Work closely with Engineering, Product, Legal, Procurement, Finance, and Compliance teams to embed security requirements into processes, systems, and projects across all five domains.
Respond to security due diligence requests from merchants, partners, and regulators, drawing on multi-domain expertise to provide accurate and comprehensive responses.
Provide guidance and day-to-day support to junior analysts (L1 and L2), contributing to their development through knowledge sharing and review.
Contribute to the continuous improvement of Checkout's security processes, identifying inefficiencies and proposing practical solutions including automation where viable.
What We're Looking For
Experience
2 to 4 years of experience in information security, IT audit, or a closely related function, ideally within payments, financial services, or fintech.
Demonstrated working knowledge across more than one of the following domains: GRC, AI governance, AppSec, technology risk, or data governance. Depth in one or two with credible breadth across the others is the target profile.
Practical experience with one or more major compliance frameworks: PCI DSS (v4.0.1 preferred), ISO 27001, SOC 2, DORA, NIST CSF, or equivalent.
Experience supporting or managing external audits, assessments, or regulatory engagements including evidence collation and assessor liaison.
Demonstrated ability to own a workstream independently, from scoping through to delivery, without requiring constant direction.
Skills and Approach
Strong analytical and process-oriented mindset. You look for root causes and systemic fixes, not just point-in-time remediation.
Clear written and verbal communication. You can translate security concepts for technical teams and business stakeholders with equal clarity.
Comfortable operating with ambiguity across a complex domain landscape. You can prioritise without perfect information.
Collaborative and pragmatic. You understand that security must work with the business and that influence matters as much as expertise.
Methodical and well-organised, with a track record of delivering on commitments across concurrent workstreams.
Preferred
Relevant certification in one or more domains: CISA, CISM, CISSP, PCIP, ISO 27001 Lead Implementer or Auditor, Certified AppSec Practitioner (CAP), or equivalent.
Familiarity with cloud environments (AWS, Azure, GCP) from a security or compliance perspective.
Exposure to AI and ML systems from a risk, governance, or security perspective.
Experience with security or GRC tooling such as Wiz, Qualys, Microsoft Sentinel, ServiceNow GRC, or similar.
Understanding of agentic AI and LLM security risks including OWASP LLM Top 10, prompt injection, and data exfiltration vectors.
Hybrid Working Model
All of our offices globally are onsite three times per week (Tuesday, Wednesday, and Thursday). We've worked towards enabling teams to work collaboratively in the same space while also being able to partner with colleagues globally. During your days at the office, we offer great snacks, breakfast, and lunch options in all of our locations.
Additional Information
Bring all of you to work
We create the conditions for high performers to thrive, through real ownership, fewer blockers, and work that makes a difference from day one.
Here, you’ll move fast, take on meaningful challenges, and be recognized for the impact you deliver. It’s a place where ambition gets met with opportunity, and where your growth is in your hands.
We work as one team, and we back each other to succeed. So whatever your background or identity, if you’re ready to grow and make a difference, you’ll be right at home here.
It’s important we set you up for success and make our process as accessible as possible. So let us know in your application, or tell your recruiter directly, if you need anything to make your experience or working environment more comfortable.
Life at Checkout.com
We understand that work is just one part of your life. Our hybrid working model offers flexibility, with three days per week in the office to support collaboration and connection.
Curious about what it’s like to be part of our team? Visit our Careers Page to learn more about our culture, open roles, and what drives us.
For a closer look at daily life at Checkout.com, follow us on LinkedIn and Instagram