AppRecode is a DevSecOps consulting firm with 30+ professionals serving clients across Europe and the United States. We specialize in PCI DSS Level 1 compliance implementations for payment processing platforms, delivering production-grade secure infrastructure that meets stringent regulatory requirements.
We are seeking a Senior DevOps Engineer to lead PCI DSS Level 1 compliance implementations for payment processing clients. You will architect and implement secure AWS-based Kubernetes environments for systems handling cardholder data (CHD), working directly with clients to ensure all infrastructure meets PCI DSS v4.0.1 requirements while optimizing for cost and performance.
Key Responsibilities
PCI DSS Compliance Implementation * Design and implement PCI DSS v4.0.1 Level 1 compliant AWS infrastructure for payment processing platforms * Define and secure Cardholder Data Environment (CDE) boundaries with proper network segmentation * Implement centralized logging infrastructure with 1-year retention and immutable audit trails (S3, CloudWatch, CloudTrail) * Configure encryption at rest and in transit (TLS 1.2+, mTLS, KMS encryption, certificate management) * Deploy File Integrity Monitoring solutions (Wazuh) and configure security alerting * Implement vulnerability management programs (Amazon Inspector, ASV scanning coordination) * Configure AWS security services: GuardDuty, Security Hub, Config with PCI DSS Conformance Pack * Coordinate penetration testing activities and remediate security findings * Create and maintain security policies, procedures, and compliance documentation
AWS Infrastructure & Security * Design multi-AZ VPC architectures with CDE isolation and network segmentation * Implement IAM roles, policies, and MFA enforcement following least-privilege principles * Manage KMS encryption keys with automatic rotation * Configure security groups, NACLs, VPN access, and bastion hosts * Optimize AWS costs and implement cost monitoring dashboards * Design backup and disaster recovery solutions meeting PCI requirements * Deploy and optimize RDS PostgreSQL, Redis, and RabbitMQ with encryption
Kubernetes & Microservices Security * Deploy production EKS clusters with security hardening (private API, envelope encryption) * Implement RBAC, Pod Security Standards, and Network Policies for CDE workloads * Configure Istio service mesh for mTLS enforcement between microservices * Set up automated certificate management with cert-manager * Deploy microservices across multiple environments (dev, staging, production) * Configure EKS control plane logging and security monitoring
CI/CD & Automation * Build secure CI/CD pipelines (GitHub Actions) with security gates and scanning * Integrate SAST tools (SonarQube/SonarCloud), dependency scanning, and container image scanning * Implement HashiCorp Vault for secrets management (no secrets in code) * Develop Infrastructure as Code using Terraform for entire AWS stack * Create Helm charts for application deployments * Automate compliance validation and drift detection
Monitoring & Observability * Deploy Prometheus and Grafana for infrastructure and security monitoring * Integrate Sentry for application error tracking and telemetry * Configure AlertManager with PagerDuty for 24/7 security alerting * Create dashboards for security events, cost monitoring, and compliance metrics * Implement security event monitoring and anomaly detection
Required Qualifications
Mandatory Requirements * 5+ years of hands-on DevOps/SRE experience with production systems * Proven experience implementing PCI DSS Level 1 compliance (multiple projects strongly preferred) * Deep understanding of PCI DSS v4.0.1 requirements, SAQ completion, and QSA audit processes * Expert-level AWS knowledge (VPC, EC2, EKS, RDS, S3, KMS, IAM, CloudWatch, GuardDuty, Config, Security Hub) * Production Kubernetes/EKS expertise (RBAC, Network Policies, Pod Security Standards, security hardening) * Strong Terraform experience (3+ years) for infrastructure provisioning and management * Helm charts for Kubernetes package management * Experience with service mesh technologies (Istio preferred) for mTLS implementation * CI/CD pipeline development (GitHub Actions, GitLab CI, or Jenkins) * Strong Linux system administration skills (Ubuntu/Debian preferred) * Deep understanding of encryption, network security, and authentication mechanisms * Experience with security scanning tools (SAST, dependency scanning, container scanning)
Highly Desired * Experience with HashiCorp Vault for secrets management * Grafana and Prometheus for monitoring and observability * Sentry integration for application monitoring * Production experience with RabbitMQ, Redis, and PostgreSQL * Python scripting for automation and tooling * Wazuh or similar FIM solutions * SonarQube/SonarCloud integration * AWS cost optimization and FinOps practices * Knowledge of other compliance frameworks (ISO 27001, SOC 2, HIPAA)
Professional Skills * Excellent communication skills with ability to work directly with clients * Experience in consulting or professional services environments * Strong problem-solving and analytical abilities * Self-motivated with ability to manage multiple projects simultaneously * Proactive approach to identifying security and compliance issues * Team player with collaborative mindset * English fluency (written and verbal) required
What AppRecode offers * 20 days of paid annual leave plus public holidays. * 5 paid sick days per year. * Remote-first work environment. * Friendly and supportive team culture. * Personal development plans and access to experienced mentors and technical leaders. * Reimbursement for sports activities and professional certifications (after probation). * Ongoing learning opportunities: internal trainings and knowledge-sharing sessions. * Free English classes if you want to further improve your communication skills.
