Payoff is hiring a

Security Engineer - 3rd Party Vendor Risk



Happy Money® is the fintech of the future, delivering digitally-native financial tools and services for human happiness™ through its purpose-driven marketplace between mission-aligned capital and consumers. Happy Money is creating an alternative to the "Sad Money™" system with a connected ecosystem of consumer financial products designed to help borrowers become savers. Happy Money. A Happier Future.™

Backed by leading investors including Anthemis Group, Tencent Holdings and CMFG Ventures, Happy Money has helped over 80,000 members pay off nearly $1.5 billion in credit card debt. Founded in 2009, Happy Money has over 270 employees and is based in Tustin, California.


We are hiring for a brand new Security Engineer to join our small but mighty team!  This will be an individual contributor role that will report to our Information Security Manager.  There is one opening for a mid-level Security Engineer that will manage our 3rd party vendor risk assessments.

Here at Happy Money, we live by our core values of Love, Trust, and Hustle and welcome all.   Love is shown in how we develop meaningful relationships with everyone we interact with; whether it’s a member or your manager.  Trust is shown through how we empower each other to come to work as our true selves and embrace our differences.  Hustle is shown through how we fail fast and learn from our mistakes.  No one is perfect, we’re all human; if this job description doesn’t exactly match your background, we urge you to apply anyway!


  • 2-4 years of experience in Security.
  • Experience Conducting Vendor Information Security Risk Assessments, including Security Policy, HR Security, Access Control, Secure Systems Development, Incident Management & Compliance, Business Continuity and Disaster Recovery. Good understanding of the Cloud Computing and IAAS/PAAS/SAAS platforms.
  • Ability to pinpoint architecture security vulnerabilities during assessment.
  • Experience Conducting Vendor calls and negotiating the fixes and timelines.
  • Experience working closely with Legal and Compliance departments.
  • Understanding Penetration and Vulnerability Reports.
  • Ability to implement GRC system.
  • Ability to deliver reports with the risk rated issues and suggested remediations. Experience in maintaining Risk Registry and verifying required fixes on the timely basis.
  • Experience in implementing Risk based Vulnerability Policy and meeting with the stakeholders to uphold the timelines.
  • Familiarity with the compliance reports: SIG Questionnaire, SOC2 Type II, ISO 27001, GDPR, CCPA, PCI DSS, and others.


  • Providing Application Risk Assessments in the past.
  • ISACA and/or CRISC certifications.