SOC Reports and PCI: Better Together
For companies undergoing the PCI DSS reporting process (Payment Card Industry Data Security Standards), it can make a lot of sense to add a SOC (Service and Organization Controls) report from the AICPA for their customers. This would especially apply to any vendors in the Software as a Service (SaaS) sector.
For compliance professionals, listen to our accompanying audio interview discussing HIPAA, SOC and PCI compliance during a pandemic, featuring Robert Ramsay and Brett Bane of Pondurance.
SOC reports can include disclosures that are of concern to your customers. This may help you win new customers, or assist existing customers with their vendor management process. Ideally, your company benefits from having auditors perform tests once and then reporting them to all of your customers for the rest of the year.
Reports from the PCI Security Standards Council are industry-standard reports on compliance with payment card security requirements. SOC reports are allowed to disclose services and controls that are most pertinent to your customer base. Security is the most common category, but Availability and Confidentiality controls are also very popular.
SOC reports allow for a flexible time period and flexible scope. You may report on a single location or service, or you may choose to report on all locations and services. You may choose your time period, as long as doing so isn’t misleading relative to the control environment. This is convenient if your operations would benefit from a report covering 7 months or 17 months (although most reports are performed annually).
SOC reports also have the benefit of allowing for disclosure of future plans. This can be especially useful if your customers expect to see a SOC report during the sales or renewal cycle.
SOC reports offer a symbol from the AICPA for your website and marketing materials.
SOC reports and PCI reporting have many things in common. Both are functions of the “audit once, report many” theory. They both cover a great deal of data security, risk management, and vendor oversight. And they both rely on evidence that controls are in place and effective over a period of time. Because of this, the incremental cost for adding a SOC report to your PCI audit (or vice versa) is significantly less than doing them independently. Companies can save thousands of dollars and dozens of hours by combining PCI and SOC efforts. Your compliance, operations, security, and development teams will all appreciate the efficiencies of doing PCI and SOC together.
If you are already undergoing the PCI DSS process to provide a Report on Compliance or Attestation of Compliance, adding a SOC report for your clients may be a relatively small lift. You can benefit from the “double-dip” of providing evidence (and explaining your procedures) once for both use cases. The overlap in evidence necessary for these two security audits is the reason for the efficiencies to be gained by doing them concurrently. In effectively the same amount of time, your company can boast twice the compliance accomplishments.
Pondurance and Barnes Dennig
Pondurance and Barnes Dennig are two of the leading data security providers in the midwestern United States. We offer comprehensive data security services, including managed security, PCI DSS and SOC reporting. Contact us here, or call 513-241-8313 to learn more about the services we provide or to get a quote.