Staff Security Engineer - Cryptography & Key Management

We’re seeking an experienced Staff Security Engineer with a strong passion for data security and a deep understanding of encryption and key management. In this role, you’ll have the opportunity to shape and implement cutting-edge security strategies to protect sensitive data across our platforms.

Join us in building secure cloud environments where you’ll play a crucial part in:

1. Cloud Data Security – Driving initiatives around data discovery, classification, and protection.
2. Encryption & Key Management – Leading encryption and secrets management across the enterprise.
3. PKI & Certificate Management – Architecting robust public key infrastructures and certificate solutions.

This is a remote-first role, with the option to work from anywhere within the U.S. or from our Oakland office. If you're excited about designing and securing the future of data, we’d love to have you on our team!

What You'll Do:

• Lead the development of enterprise-level data security architecture and strategies.
• Define encryption and secrets management standards, ensuring alignment with product development and enterprise needs.
• Collaborate closely with security, technology, and privacy teams to implement and maintain data classification, encryption, and key management standards.
• Deploy, configure, and manage cloud-based Key Management Services (KMS) and Hardware Security Modules (HSMs).
• Participate in Proof of Concept (POC) testing and demonstrations for new cryptographic products and services.
• Serve as a key custodian, overseeing the full lifecycle of sensitive key material, including governance and security controls.
• Maintain and update data security tooling such as Data Security Posture Management (DSPM) and Data Loss Prevention (DLP) solutions.
• Ensure systems remain compliant with evolving security standards like PCI-DSS and FIPS 140-2 & 140-3.
• Provide operational support, including on-call rotation, and document critical procedures such as key lifecycle management and disaster recovery plans.
• Research emerging security standards and advise on their integration into our strategies.

What We're Looking For:

• A minimum of 8 years related experience with a Bachelor’s degree; or 5 years and a Master’s degree; or a PhD with 3 years’ experience; or equivalent combination of related education and work experience.
• 5+ years of professional experience within data security including encryption, tokenization, PKI implementation and key management.
• 4 years+ of in-depth experience working with payment and/or general-purpose HSMs, cloud KMSs.
• 4+ years of practical experience in encryption algorithms (e.g., AES, RSA), protocols (e.g., TLS/SSL), key management, secrets management
• 3+ years  with cloud computing architectures and Infrastructure as Code (e.g., Terraform).
• 2+ years working experience with security regulatory/compliance requirements including PCI, NIST and GDPR.
• 2+ years experience with data security, classification and posture management tooling.
• Strong collaboration and communication skills, with the ability to influence cross-functional teams and stakeholders.
• Problem-solving skills to navigate complexity and security risks with confidence and flexibility.

Nice to Have:

• Experience with Thales payShield HSM, AWS KMS and AWS Secrets Manager.
• Coding experience and working knowledge of Google Tink, PKCS11, JCE , OpenSSL and other crypto libraries.
• Familiarity with Kubernetes, cloud platforms, and IaC tools like Terraform.
• Experience with AWS Payment Cryptography would be a major plus
• CISSP, CCSP, CISA or other appropriate certifications is a plus.

Job Expectations:

• Occasional travel (up to 10%).
• A hiring process that includes an application, recruiter call, hiring manager video call, and a virtual “onsite” interview.

Compensation and Benefits

Marqeta is a Flex First company which allows you to choose your best working environment, whether that be from home or at a company office. To support Flex First, we calibrate pay to a competitive value according to working location. Compensation is aligned according to three tiers within the United States:

• National: A baseline tier that applies to most of the geographic territory of the United States.
• Premium: Slightly elevated from the National tier, and oriented toward a narrower set of higher cost-of-living areas, such as Los Angeles CA and Seattle WA
• Premium Plus: A tier for the most expensive working areas, like the San Francisco Bay area and New York City.

Visit this page or consult with a Recruiter to determine which tier would be applicable to you.

When determining salaries, we consider several factors including, but not limited to, skills, prior experience, and work location. The new-hire base salary range for this position is:

• National: $167,100 - $208,900
• Premium: $179,800 - $224,700
• Premium Plus: $195,400 - 244,200

We also believe in recognizing the contributions of our people. That's why we award annual bonuses to eligible employees, rewarding both individual performance and the success of the entire company.

Along with monetary compensation, Marqeta offers

• Multiple health insurance options
• Flexible time off – take what you need
• Retirement savings program with company contribution and after tax contributions
• Equity in a publicly-traded company and an Employee Stock Purchase Program
• Family-forming benefits, fertility support, and up to 20 weeks of Parental Leave
• Free therapy sessions, financial and professional coaching, and legal advice
• Monthly stipend to support our remote work model
• Annual “development dollars” to support our people growth and development