Many users are unsure as to the difference between a SOC 2 (System and Organization Control) report and PCI DSS (Payment Card Industry Data Security Standard) compliance. While the two may have overlapping areas of focus, they are quite different. The main difference between the two is that PCI is specific to businesses that accept credit card payments and SOC 2 covers a broader range of organizations that hold, store, and/or process customer data.
Still unsure as to how this makes the two different? Keep reading to find out specifics.
The Difference Between SOC 1, SOC 2, and SOC 3
First let’s cover some background on what types of SOC reports there are and how they differ. The three most popular SOC reports are the SOC 1, SOC 2, and SOC 3. These SOC reports are performed in accordance with the Statement on Standards for Attestation Engagements 18 (SSAE 18) attestation standard issued by the American Institute of Certified Public Accountants (AICPA). That said, the three types of SOC reports have some key differences:
SOC 1 reports are applicable when the service organization can affect a user entities internal control over financial reporting (ICFR) and is outlined in AT-C Section 320 of SSAE-18, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting. Most SOC 1 reports focus on controls at the service organization that are relevant the user entities financial statements.
A SOC 2 report is outlined in the following sections of the SSAE 18 attestation standard: AT-C 105, Concepts Common to All Attestation Engagements, and AT-C 205, Examination Engagements. SOC 2 reports cover a broader range of service organizations and focus on controls at a service organization relevant to their operations and compliance as they relate to the AICPA’s five Trust Services Criteria (TSCs). The five TSCs include, Security, Availability, Confidentiality, Processing Integrity, and Privacy.
A SOC 3 report is outlined in the same sections of SSAE 18 as a SOC 2, AT-C 105, and AT-C 205. SOC 2 and SOC 3 reports differ in the audience the reports are meant for; a SOC 2 is a restricted use report and a SOC 3 is a general use report. As such, a SOC 3 report contains less detail than a SOC 2 report.
SOC 2 Report Criteria
Since SOC 2 reports are most commonly compared to PCI DSS assessments, here is some additional information relevant to SOC 2 examinations.
As mentioned above, SOC 2 examinations are applicable to organizations that handle customer data and cover the AICPA’s five TSCs. The only TSC that must be included in a SOC 2 report is Security, also known as the Common Criteria. The other TSCs (Availability, Confidentiality, Processing Integrity, and Privacy) can be included at the discretion of management at the service organization depending on the criteria applicable to the organization’s system and services. The service auditor can also assist management in determining what criteria are applicable once the scope of the examination has been set.
A SOC 2 report must be signed off on by a licensed CPA. Typically, SOC 2 examinations are performed by a licensed CPA auditing firm with experience in Information Security audits not just financial audits.
When selecting a service auditor to work with, one way for an organization to determine the experience level of their potential service auditor is to ask for their resumes or bios. Additionally, there are some companies that are not licensed CPA firms that perform SOC 2 examinations and they have a CPA firm sign off on the report. We advise clients against this option as the CPA firm did not perform the work they are signing off on.
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards specifically for organizations that accept, store, process or transmit credit card information (i.e. cardholder data). This standard is administered by the Payment Card Industry Security Standards Council (PCI SSC) and was created in an effort to reduce credit card fraud. This standard focuses on an organization’s controls around cardholder data and there are different compliance ‘levels’ based on transaction volume.
In order to become PCI compliant there are several steps an organization should take including:
- Assessing their compliance level
- Making any changes needed to become compliant
- Completing a formal attestation of compliance
In order to assist organizations in becoming PCI compliant, the PCI SSC has a listing of qualified security assessors.
Organizations are not legally required to be PCI compliant but if organizations adhere to the standard they are better equipped to protect their customers and themselves. If an organization is not PCI compliant and a data breach occurs, they could be fined for the PCI compliance violations.
Differences Between SOC 2 and PCI
The main difference between SOC 2 and PCI are related to the organizations these standards apply to. Though both focus on security controls in place at an organization, SOC 2 examinations are applicable to a much broader range of organizations and focus on the security, availability, confidentiality, processing integrity, and/or privacy of customer data. While PCI on the other hand, has a narrower focus, specific to organizations that accept, store, process, or transmit cardholder data. Cardholder data is defined as the full Primary Account Number (PAN) or the full PAN plus any of the following: card holder name, expiration date, and service code.
Additionally, the professionals that can perform SOC 2 examinations and assist organizations with becoming PCI compliant are different. SOC 2 examinations are conducted by licensed CPA firms who ideally have experience with information security audits. On the other hand, there are qualified security assessors that can assist organizations with PCI compliance. Some professionals may be licensed to do both, but it is important for the organization to do their due diligence and determine that they are working with professionals that are licensed to assist them in the compliance areas they are looking for.
To summarize, SOC 2 and PCI DSS are two different standards that apply to different types of organizations. The key takeaways to note are that SOC 2 reports are performed in accordance with SSAE 18, issued by the AICPA, and are applicable to organizations that hold, store, and/or process customer data, while PCI DSS is a standard administered by the PCI SSC and is applicable to organizations that accept, store, process, or transmit cardholder data.
Additionally, the professionals that perform these assessments typically have a different skill set; SOC audits are performed by licensed CPA firms, while PCI DSS assessments are performed by qualified security assessors.
Though Linford & Co. does not assist organizations with becoming PCI compliant, we do specialize in SOC 1 and SOC 2 examinations. Please contact us for further information regarding if a SOC audit is the right decision for your organization.
Megan Kovash works primarily on SOC audits with experience in financial audit and internal audit as well. Megan started her career in January 2012 after completing her Masters of Accountancy with the University of Denver. She worked in the Risk Assurance group at Ernst & Young, then moved to the Internal Audit Data Analytics group at Charles Schwab. She is now a Partner at Linford & Co., LLP. Megan enjoys working with clients and coworkers to find and implement solutions to better her client’s business.