The Estee Lauder Companies Director, IT Compliance - PCI in Long Island City, New York

Director, IT Compliance - PCI

Brand: Estée Lauder Companies


The Estée Lauder Companies (ELC) Inc. is a Fortune 500, multinational manufacturer and marketer of prestige skincare, makeup, fragrance and hair care products, headquartered in New York City. As the global leader in prestige beauty, we touch over half a billion consumers a year. The company owns a diverse portfolio of brands, distributed internationally through both digital commerce and retail channels.

ELC prizes the confidentiality of its consumers and therefore places a premium on cybersecurity. As the business world becomes increasingly digital and cyber threats grow in number and in sophistication, ELC will continue to invest and develop a proactive people-centered, cybersecurity program. The Global Information Risk and Security (GIRS) team spearheads these efforts.

The GIRS Risk and Compliance Director focused on Global PCI Compliance will be responsible for ensuring that all relevant technology systems worldwide are compliant with payment card industry (PCI) data security standards. Since compliance to PCI data security standards is critical to business operations, this role will help identify all locations globally where credit card data is stored, processed, or transmitted by employees/consultants, devices, and infrastructure.

This role will manage the process of collecting evidence to demonstrate compliance and will direct remediation of non-compliant systems. This requires understanding and balancing PCI data security standards, technical constraints, and business constraints.

This role will collaborate with Qualified Security Assessors (QSA), vendors, Legal, Human Resources, Global Communications, Global Security, Finance, and Information Technology (IT) teams and leadership across brands, regions, and functions. This requires developing relationships and negotiating acceptable solutions that take into account competing priorities.

This role will manage vendors that interact with ELC’s cardholder data environment, ensuring full compliance with and evidence for PCI and corporate policies/standards. This role will assist brands, regions, and functions embarking on new ventures that may be exposed to credit card data, providing guidance to minimize contact with credit card data, and to lay the foundation for continuous compliance and evidence gathering.

This role will contribute PCI knowledge to Security Operations Center (SOC) projects, including security analysis, incident response, case management/workflow tools, vulnerability management, pen testing/red teaming, mobile security, insider threat, and metrics.

This role necessarily deals with highly confidential and sensitive information, and the role is expected to both define appropriate handling of such information for the enterprise and to implement best handling practices.

Conduct governance activities that ensure continuous compliance with PCI Data Security Standards. This includes, but is not limited to: vulnerability scanning, patching, file integrity and change detection, security log reviews, firewall rule set reviews, cryptographic key replacement, cardholder data storage location security, media inventory, penetration testing, and wireless access point scans.

Lead annual PCI assessment, with the goal of obtaining Qualified Security Assessor Attestation of Compliance for all relevant corporate departments.

Manage the PCI vendor master list; identify all vendors that provide software/services impacting the cardholder data environment. Maintain a description of the services provided, PCI data security standards supported by each vendor, and current copies of Attestations of Compliance and/or contractual agreements.

Communicate PCI Compliance IT Risks to the IT Leadership Team, enabling balanced risk decisions across IT.

Resolve issues arising from non-compliance by developing solutions that are acceptable to the acquiring banks, that account for budget constraints, and that are technically feasible. Direct the remediation and repair of non-compliant systems, software, and technologies across all brands, functions, and regions.

Review security policies and incident response processes, and provide recommendations to reflect changes to business objectives, the risk environment, and PCI data security standards.

Evaluate and approve risk decisions that could impact the cardholder data environment or connected systems.

Document standards and guidance that to help brands, regions, and functions deploy PCI compliant solutions. Provide guidance and oversight to new developments globally that could include exposure to credit card data. Ensure systems are designed so that infrastructure, people, and processes limit contact with credit card data, providing guidance/oversight to ensure full compliance if contact is needed.

Research technologies with the potential to positively impact credit card handling and/or reduce compliance exposure. Provide project oversight for changes to existing credit card handling systems.

Identify opportunities for automation of evidence production to support PCI assessments and continuous compliance. Provide oversight that maintains a central repository containing PCI supporting evidence and guidance documentation.

Identify overlap with other audits to de-duplicate evidence collection and generate other efficiencies. Identify risks to future audits; lead activities to mitigate these risks.


Deep information security expertise including: security and vendor risk management; business continuity/disaster recovery; security awareness and training; risk assessments; scenario planning; vulnerability scanning/identification/management and patch management; application security; network security, and information security metrics.

Deep understanding of Payment Card Industry Data Security Standards (PCI DSS) and how they apply retail and manufacturing company operations.

In-depth understanding of IT audit and control methodologies, concepts, tools, and objectives. Hands on experience leading PCI assessments and other key technology domains, including coding/developing, understanding/communicating technology standards, deploying new technologies, and integrating new/existing technologies.

Functional understanding of retail systems, call centers, and online retail applications.

Strong leadership and management skills, including experience managing vendor relationships, managing consultants and matrixed teams, managing budgets, making critical/timely decisions, and solving unique/complex problems.

Executive-level communications and interpersonal skills, including experience briefing C-level leaders, influencing others, and engaging with information security and other leaders. Solid verbal and written ability to communicate policies, standards, and procedures to all levels of the business.

Strong project management skills, including demonstrated ability to plan and manage projects.

Experience handling, securing, and communicating highly confidential and sensitive information.

Job: Information Technology

Primary Location: Americas-US-NY-Long Island City

Job Type: Standard

Schedule: Full-time

Shift: 1st (Day) Shift

We are an equal opportunity employer. Minorities, women, veterans, and individuals with disabilities are encouraged to apply.

Job Number: 192118