PCI and SOC 2 Audit Requirements: Combining PCI & SOC 2 Audits

Clients often ask me if policies and processes put in place for the Payment Card Industry Data Security Standard (PCI DSS) compliance can be used to pass their Service Organization Control (SOC) 2 audit. While some overlap exists between the security procedures required to “pass” your PCI and SOC 2 audits, the biggest difference between the two is the scope: PCI DSS is focused on the part of the environment that stores, processes or transmits cardholder data, while SOC 2 has a broader scope of sensitive internal and customer data within the defined entity, operating unit, or function.

What is a SOC 2 Audit?

A SOC 2 audit is a voluntary examination conducted to evaluate and report on controls put in place over infrastructure, data, systems, and people based on their compliance with the AICPA’s (American Institute of Certified Public Accountants) Trust Services Criteria (TSC).

There are five trust services categories, defined by the AICPA and each of the categories has its own defined criteria:

1. Security – “Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.”
2. Availability – “Information and systems are available for operation and use to meet the entity’s objectives.”
3. Processing Integrity – “System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.”
4. Confidentiality – “Information designated as confidential is protected to meet the entity’s objectives.”
5. Privacy – “Personal information is collected, used, retained, disclosed, and disposed of to meet the entity’s objectives.”

Every SOC 2 report will contain security with the other trust service categories included based on the individual client needs.

There are two types of SOC 2 reports – 1 and 2. SOC 2 Type 1 is performed as a point-in-time examination, while SOC 2 type 2 requires an audit of the controls operating over a period of time (usually 6+ months). SOC 2 examinations are generally performed by a CPA-affiliated audit firm or at least signed off on by a licensed CPA.

 

What is a PCI Audit?

A PCI audit is an evaluation of the company’s information security controls performed against the Payment Card Industry Data Security Standard (PCI DSS). The following 12 PCI DSS requirements apply to businesses that process, store or transmit cardholder data:

• “Install and maintain a firewall configuration to protect cardholder data.”
• “Do not use vendor-supplied defaults for system passwords and other security parameters.”

• “Protect stored cardholder data.”

• “Encrypt transmission of cardholder data across open, public networks.”

• “Use and regularly update anti-virus software or programs.”

• “Develop and maintain secure systems and applications.”

• “Restrict access to cardholder data by business need to know.”

• “Assign a unique ID to each person with computer access.”

• “Restrict physical access to cardholder data.”

• “Track and monitor all access to network resources and cardholder data.”

• “Regularly test security systems and processes.”

• “Maintain a policy that addresses information security for all personnel.”

A PCI DSS audit is a point-in-time assessment performed by an independent Qualified Security Assessor or an Internal Security Assessor hired by the company.

 

Are SOC 2 and PCI DSS Audits Similar?

While many differences exist between the SOC 2 TSC and PCI DSS requirements, comparing them to each other would not be a complete apples-to-oranges scenario. Both include basic security controls such as the following (and more):

• Restricting system and physical access
• Securing endpoints and servers
• Encrypting communications and data at rest
• Following a secure development and deployment process
• Monitoring the internal control environment, etc.

You will also find that PCI DSS, similar to SOC 2, requires that information security policies are put in place and shared throughout the company. The key difference is the type of data being protected: PCI DSS is focused on cardholder data, while SOC 2 has a broader scope of sensitive internal and customer data within the defined entity, operating unit, or function.

What Can I Expect from a PCI DSS Audit When Compared to a SOC 2 Audit?

For the most part, both PCI DSS and SOC 2  audits will follow a set of basic steps. Like many audits, the project will start off with some kind of a gap analysis, subsequent scoping, and end when a report is prepared.

Similarities Between the PCI & SOC 2 Audit Processes

• Audit Readiness (or Gap Analysis)

1. •  During this step, the auditor will meet with your team to talk about existing information security processes (such as risk management, endpoint security, etc.) and controls and identify any gaps needing remediation. You will be provided with a list of items that need to be addressed prior to the audit.

• Remediation 

1. • After readiness, your auditor will provide a list of gaps and recommendations for addressing the gaps identified. The remediation steps need to be followed to mitigate the risks posed by the weaker areas and ensure that you are ready for the assessment.

• Scoping and Fieldwork

1. • At this point, the auditors are ready to begin testing. They will meet with your team once again to discuss the processes and controls in place and request various pieces of evidence to corroborate the understanding obtained through inquiry.

• Report Issuance

1. • This is perhaps the most exciting part of the whole process, because this is why we went through all of that trouble, right? The auditor will issue a report with the results of the assessment.

Keep in mind that as an “as of date” evaluation, the PCI DSS audit process will more closely resemble a SOC 2 Type 1. That means that if some items identified during readiness are not remediated at the time of testing, your company will have a chance to remediate them at the time of the audit without affecting the report outcome.

 

Differences Between PCI & SOC 2 Audits

So what is the SOC 2 vs. PCI DSS difference, and why doesn’t being compliant with one make you automatically compliant with the other? Some of the key difference points are outlined below:

• The Type of Organizations That Need SOC 2 vs. PCI DSS

• • SOC 2 covers organizations that store, transmit or process customer data, while PCI DSS applies to companies that process, store, or transmit credit card data.
• The Scope
• • SOC 2 audit will generally include the people, systems, and services used to store, transmit or process customer data, while the scope of a PCI DSS audit will be limited to the cardholder data environment.

• The Type of Data Protected

1. • SOC 2 deals with personally identifiable information (PII), PCI DSS is concerned with cardholder data.

• The Credentials Needed to Perform the Audit

1. • SOC 2 audits are generally performed by a CPA-affiliated firm or at least signed off on by a licensed CPA. PCI DSS assessment is done either by an independent qualified security assessor (QSA) or an internal security assessor (ISA).

 

So Can (or Should) You Consider Combining Your PCI & SOC 2 Audits?

The approach of running concurrent audits is not an easy undertaking in my experience. Each company will have a different ability to support such audits depending on the resource availability, overall security program maturity, and the experience level of the audit teams performing the assessments.

How to Minimize Duplication of Effort When Preparing for SOC 2 & PCI DSS Audits

I have found that clients often try to leverage policies, processes, and procedures developed for PCI DSS to pass their SOC 2 audit, and vice versa. Audit fatigue is a real thing, and we all want to be more efficient. My advice is to always discuss all ongoing compliance efforts with your auditor during readiness. Many of us have performed various audits throughout our careers and have a good understanding of overlaps that exist.

Additionally, always keep the scope (the people, systems, and infrastructure) of the audit in mind. For example, a vulnerability scan performed for the purposes of PCI DSS compliance might not always cover all of the network sections needed to be scanned for SOC 2 compliance purposes.

Summary

Companies often undergo multiple audits (like SOC 2 and PCI DSS) and in order to reduce the duplication of effort, understanding the requirements set forth by each audit standard is important. Discussing all ongoing compliance efforts with your auditor and keeping the scope in mind is the best way to maximize the efficiency of creating and updating your internal information security program.

At this time Linford & Co. does not perform PCI audits; however, we specialize in SOC 1 and SOC 2 examinations. Please contact us for further information to determine if a SOC audit is the right decision for your organization.