Senior Security Engineer
Indexed description
The Role
We are looking for a Senior Security Engineer with deep payments-security expertise, the ownership mindset of a compliance driver, and the hands-on instincts of a security tester. You will partner directly with Engineering leads and individual engineers — embedding security into how teams design and build, not bolting it on after the fact. Hands-on work and cross-functional influence are equally weighted here.
What You Will Do
Payments & Product Security
- Own the security posture of our EDC terminals, QRIS Soundbox, Virtual Account flows, and the APIs connecting them
- Perform threat modeling and security reviews on new payment products and infrastructure before they ship
- Define payment key management requirements: transactional key lifecycle, key injection, HSM usage, and PIN security on EDC terminals
- Harden payment APIs with HMAC request signing, mutual TLS, certificate pinning, and replay-attack prevention
- Assess risks in our Android EDC app: root detection, code obfuscation, intent restriction, local data encryption, and version allow-listing
- Own and drive ISO 27001, PCI-DSS, and SOC 2 certification cycles end-to-end: gap assessments, control implementation, evidence collection, and audit liaison
- Own PCI-DSS and PCI PTS compliance requirements for our EDC and QRIS estate: transactional key protection, PIN security standards, and payment cryptography obligations
- Assess and track alignment with Bank Indonesia (BI) PADG and POJK cybersecurity requirements for payment products
- Maintain our ISMS, policy library, risk register, and vendor security review process
- Serve as the security interface across Engineering, Product, Business, Risk, and Legal — translating control requirements into engineering work
- Run application security testing across the payments platform: DAST, SAST, dependency scanning, API fuzzing, and mobile assessments
- Build internal security tooling — automated scanners, CI/CD shift-left integrations, and dashboards that surface risk continuously
- Conduct or coordinate penetration testing of EDC, Soundbox, and backend services; own findings triage through closure
- Use AI tooling to scale security coverage — smarter scanners, anomaly surfacing, and pentest automation
- Lead P0 and P1 security incident response: cross-functional coordination, forensics, and post-mortems with MTTD and MTTR ownership
- Drive the security ladder within Engineering: secure coding guidelines, threat-modeling practices, and developer enablement
- Mentor engineers on security patterns and build reusable secure-by-default primitives across the platform
- 5–8+ years in security engineering with meaningful time in payments, fintech, or financial services
- Hands-on experience securing payment systems: EDC terminals, QR-payment infrastructure, or Virtual Account and disbursement rails
- Proven end-to-end ownership of ISO 27001, PCI-DSS, or SOC 2, scoped, implemented, and delivered, not just supported
- Deep knowledge of payment key management: transactional key lifecycle, HSM or equivalent, and cryptographic key protection standards
- Strong AppSec fundamentals: threat modeling, OWASP, Android mobile security, API security, and secure SDLC
- Experience building security automation: SAST/DAST pipelines, CI/CD integrations, or custom tooling
- Proficiency with AWS security controls: IAM, KMS, Secrets Manager, VPC segmentation, Security Hub, GuardDuty
- Clear communicator, able to articulate risk and tradeoffs to both engineering and non-technical stakeholders
- Certifications: OSCP, CEH, CISSP, CISM, PCI QSA or ISA, or equivalent
- Designed payment-API hardening controls from scratch: HMAC, mTLS, certificate pinning, replay prevention
- Experience with PCI PTS, EMV, or terminal-level security for card-acceptance devices
- Built security tooling or pentest agents leveraging AI or LLMs
- Authored threat models, RFCs, or post-mortems that materially changed how a system was built
- Familiarity with Bank Indonesia regulatory requirements for payment security and data protection
Create a free Caio profile to unlock more results and save your role and location preferences.
Unlock free search