Cardless

Product Security Lead

Cardless · San Francisco, CA
San Francisco, CA $190K–$260K Posted 2026-06-10
Salary
$190K–$260K
Type
Full-time
Experience
5+ yr

Cardless is the infrastructure that lets consumer brands put credit cards directly in their own product. Instead of sending customers off to a bank's website to manage their card, our platform handles the credit program end-to-end (applications, underwriting, servicing, rewards, compliance), so brands can build the card experience inside their own ecosystem. We power programs for Coinbase, Bilt, Qatar Airways, Alibaba, and others. We've raised $170M to date, most recently a $60M Series C led by Spark Capital.

We're hiring a Product Security Lead to drive how we build security into the platform. The work spans authentication, authorization, anti-abuse controls, in-product fraud primitives, and the secure-by-design practices that come with running credit infrastructure for partners of this caliber. The role is hands-on and deeply cross-functional, working with Engineering, Risk, Compliance, Legal, and Data. You'll report to the Head of Engineering.

RESPONSIBILITIES

  • Own the security model for our partner-facing APIs: authentication, authorization, tenant isolation, abuse prevention, signing, and audit logging.
  • Drive a coherent auth strategy across services and surfaces, including step-up auth for sensitive actions and a strong-auth roadmap (passkeys and beyond).
  • Build the device telemetry, behavioral signals, and velocity primitives that fraud and risk functions depend on.
  • Be the secure-by-design partner with Engineering — sit in on architecture reviews before features ship, write the threat models, own the tradeoffs.
  • Own secure SDLC: SAST/DAST, dependency scanning, secret detection, and the security tooling engineers interact with daily.
  • Coordinate with our infrastructure team to improve our security posture across the stack: from infrastructure, to supply chain, to first-party applications, to third-party dependencies and SaaS platforms.
  • Be the technical authority on sensitive payment data. Keep the footprint small and well-defined as the platform grows.
  • Lead incident response on security events (containment, forensics, comms, blameless postmortems) and drive vulnerability remediation across services.
  • Own the relationship with our external security architecture partner: set priorities, scope engagements, integrate findings into our roadmap.
  • Serve as the technical counterpart to ensure compliance, translating SOC 2, PCI DSS, and other security frameworks into scalable engineering solutions and ensuring in-product controls are effective in practice - not just on paper.

WHAT WE LOOK FOR

  • Strong programming skills in Java, Python, or a comparable language — you write production code.
  • Experience designing or operating secure platform / B2B APIs at scale, especially in multi-tenant environments.
  • Background in anti-ATO, anti-fraud, or authentication systems at scale (consumer fintech, marketplace, or large consumer platform).
  • Working knowledge of AWS: IAM, KMS, networking, service-to-service auth.
  • Comfort with modern AI tooling (Claude, Copilot, and similar) as a daily force multiplier across code review, threat modeling, detection engineering, and security tooling.
  • Excellent written communication. You'll write threat models, postmortems, and partner-facing security responses.
  • Comfortable owning the security function in-house while leveraging external specialists as a force multiplier.

NICE TO HAVE

  • Fintech, payments, or other regulated environment experience.
  • Threat modeling methodology background (STRIDE, attack trees, or your own).
  • Experience working alongside or building for a risk / fraud operations team.
  • Experience operating a bug bounty or vulnerability disclosure program.

WHY CARDLESS

You'll lead product security for a platform that powers some of the most recognizable card programs in the world. The work moves real dollars and real trust from the moment you ship. You'll have a real seat in every major architecture conversation, executive visibility, and an external security architecture partner you can lean on.

BENEFITS

  • 💸 Meaningful start-up equity
  • 🏥 100% health, vision & dental primary coverage
  • ➕ 75% health, vision & dental dependent coverage
  • 🍱 Catered lunches and dinners
  • 🚎 $250/month commuter benefit
  • 👶 Parental leave
  • ✈️ Team building events
  • 🌴 Flexible PTO with a minimum of 15 days off per year
  • 💸 401(k) plan
  • 🚛 Relocation assistance

COMPENSATION

This role has an annual starting salary range of $190,000–$260,000 + equity + benefits (see above). Actual compensation is influenced by a wide array of factors including but not limited to skills, experience, and specific work location.

LOCATION

San Francisco, CA — our office is in the Jackson Square district. This role is 5 days a week in office.

SparkJavaPythonAWS
$110K — 10th pctl $265K — 90th pctl
This role’s midpoint $225K vs. market median $185K for Engineering roles
+20%
above median
Based on 14,000+ Engineering roles with disclosed salary ranges tracked on NewJob.
E
Engineering Manager
San Francisco, CA
Engineering
$230K–$300K
E
Security Engineer - Product
San Francisco, CA
Engineering
$190K–$260K
M
Product Marketing Manager, Brand Partnerships
San Francisco, CA
Marketing
$170K–$215K
See all roles at Cardless →
A
Senior Product Security Engineer
Affirm Remote (Canada) Remote
Engineering
$153K–$213K
A
Staff Product Security Engineer
AlphaSense Remote (US) Remote
Engineering
$184K–$252K
B
Sr. Product Security Engineer
Betterment Holdings New York, NY Hybrid
Engineering
$175K–$205K
B
Product Security Engineering Manager
Bugcrowd Remote (US) Remote
Engineering
$176K–$242K
See all Engineering roles →

Interested in this role?

Apply directly on the company site — no recruiter middleman, no account required.

Apply now →
Apply on company site