We are seeking a senior-level Cryptographic Engineer (5+ years experience) with extensive hands-on expertise in cryptographic key management within banking and PCI-regulated payment environments.

This role is responsible for strengthening and modernizing enterprise cryptographic capabilities across on-premises HSMs, Cloud KMS platforms, and AWS CloudHSM environments. The candidate will lead the assessment, design, implementation, and governance of secure cryptographic systems aligned to global regulatory standards.

Key responsibilities include:

• Designing and implementing secure-by-design key lifecycle management (generation, distribution, rotation, archival, destruction)
• Managing LMK/ZMK hierarchies and payment HSM environments in PCI PIN contexts
• Architecting and implementing hybrid cryptographic solutions across:
  • Cloud KMS (AWS, Azure, GCP)
  • AWS CloudHSM (mandatory)
  • On-prem HSM platforms (Thales, Entrust, Utimaco)
• Assessing current KMS/HSM processes and identifying gaps against PCI PIN, PCI DSS, ISO 27001, NIST, FIPS 140-3, and ANSI X9.24
• Translating complex cryptographic risks into clear business risk and remediation strategies
• Digitizing lifecycle evidence through tamper-evident/WORM logging, SIEM integration, and defining event taxonomy, alerting, runbooks, and dashboards
• Developing detailed Standard Operating Procedures (SOPs) for key ceremonies, incident response, and disaster recovery
• Leading cross-functional workshops and engaging with senior stakeholders, auditors, and regulators

• 5-10 years of extensive hands-on experience in cryptographic key management
• Strong practical experience with enterprise HSM platforms in banking environments
• Proven experience in banking and payments domain, including PCI-regulated systems
• Deep knowledge of:
  • PCI PIN & PCI DSS
  • Core banking encryption frameworks
  • LMK/payment HSM models
• Proven implementation experience in:
  • At least one major cloud provider (AWS preferred)
  • AWS CloudHSM (mandatory)
  • On-prem enterprise HSM deployments
• Strong understanding of:
  • TR-31, ANSI X9.24
  • KMIP, PKCS#11
  • FIPS 140-3
  • ISO/IEC 27001 cryptographic controls
  • NIST SP 800-57 and related standards
• Experience in:
  • Digitizing cryptographic evidence and integrating with SIEM platforms
  • Designing and documenting SOPs and operational runbooks
• Strong scripting/automation capability (Python, Ansible, PowerShell, Terraform)
• Excellent communication, documentation, and stakeholder management skills
• Ability to distill complex cryptographic concepts into business impact

At Endava, we’re committed to creating an open, inclusive, and respectful environment where everyone feels safe, valued, and empowered to be their best. We welcome applications from people of all backgrounds, experiences, and perspectives—because we know that inclusive teams help us deliver smarter, more innovative solutions for our customers. Hiring decisions are based on merit, skills, qualifications, and potential. If you need adjustments or support during the recruitment process, please let us know.