Job Title: Engineering Risk & Compliance ManagerLocation: Porto, PortugalEmployment Type: Contract to hireJob Description:We are seeking a contract-to-hire Engineering Risk & Compliance Manager to drive our PCI DSS (Payment Card Industry Data Security Standard) GDPR, and other compliance initiatives across PMS platform engineering and DevOps. This role is embedded within our technical organization and acts as a dedicated stakeholder responsible for aligning our infrastructure, development workflows, and data handling practices with regulatory and security standards.You will partner closely with engineering, DevOps, legal, and leadership to ensure that security and privacy are implemented by design - not as an afterthought. The ideal candidate has a strong technical understanding of cloud-native and hybrid environments and is comfortable translating regulatory obligations into practical, enforceable controls within the software delivery lifecycle.Key Responsibilities:- Drive PCI DSS (Payment Card Industry Data Security Standard) and GDPR compliance across engineering and infrastructure, including internal readiness for assessments, SAQ/ROC (Self-Assessment Questionnaire) & (Report on Compliance) submissions, and ongoing data protection obligations.- Collaborate with DevOps, legal, and product teams to implement security controls and monitor compliance for access management, encryption, logging, vulnerability management, and third-party integrations.- Establish and enforce policies for secure logging, data retention, redaction, and incident response processes to address security/privacy issues (e.g., data exposure, unauthorized access).- Conduct gap analyses, risk assessments, and compliance audits to identify security and regulatory deficiencies, while defining and implementing security controls aligned with industry standards.- Maintain a living risk register and compliance tracking system, ensuring all technical and regulatory controls are met and up to date.- Provide guidance to developers and DevOps on secure and privacy-conscious implementation practices within product and infrastructure workflows.- Assist with audit and certification preparation, working with QSAs, auditors, and regulators to ensure smooth compliance evaluations and reporting.- Collaborate with security teams to ensure continuous monitoring, incident response readiness, and documentation of security policies, compliance activities, and remediation efforts.- Regularly report on compliance status, risks, and findings to technical leadership, ensuring alignment with regulatory obligations and security standards.Required Qualifications:- 5+ years of experience in a security, privacy, or compliance role with strong alignment to engineering and infrastructure teams.- Strong knowledge of network security, encryption, identity management, vulnerability management, and security architecture.- Ability to translate compliance mandates into technical requirements for developers and DevOps teams.- Proven experience driving PCI DSS and GDPR compliance initiatives in cloud-native (AWS preferred) as well as on-premises environments.- Experience working with auditors, QSAs, and regulators to achieve and maintain compliance.- Hands-on understanding of secure development practices, CI/CD pipelines, and infrastructure-as-code.- Familiarity with tools and processes for logging, monitoring, vulnerability scanning, and audit automation.- Experience leading or coordinating audits, gap assessments, and incident response postmortems.- Strong communication and documentation skills; able to translate technical controls into business risks and vice versa.- Excellent analytical and problem-solving skills.- Fluent in English (written and verbal).Additional Qualifications (Nice to Have):- Certification(s): PCI ISA, CIPP/E, CISA, CISSP, or similar.- Experience working in a regulated or customer-facing SaaS or hospitality tech environment.- Familiarity with Apptio Cloudability, AWS Cost Optimization Hub, or similar tools.- Knowledge of other frameworks like ISO 27001, SOC 2, or NIS2 is a plus.- Experience working with fiscal compliance regulations (e.g., KassenSichV, RKSV, Fiskalizacija) in hospitality, retail, or POS/PMS systems is a strong plus.First 180 Day Expectations:30 Dayso Understand our product, infrastructure, architecture, and existing compliance posture.o Review past audits, risk assessments, and current control implementations.o Map key stakeholders across DevOps, engineering, legal, and leadership.o Begin high-level gap assessment for PCI DSS and GDPR obligations.60 Dayso Deliver a detailed compliance gap analysis with prioritized action items.o Lead implementation of short-term controls (e.g., logging cleanup, access reviews, DPA updates).o Define and socialize the engineering compliance roadmap with clear milestones and ownership.o Begin documenting policies and procedures for critical controls.90 Dayso Embed compliance checks into engineering and infrastructure workflows (e.g., CI/CD, logging standards, infrastructure tagging).o Prepare or update PCI ROC/SAQ documentation and GDPR records of processing activities.o Coordinate any external audit preparation activities if applicable.o Provide cadence-based reporting on all compliance initiatives and issues.o Own a live compliance dashboard with tracking of all PCI/GDPR controls.o Achieve completion of prioritized remediation items and launch of evergreen compliance processes.APPLY HERE or via email at:menna.chikhi@lafosse.com