more-arw search

Q&A Forum

Could someone describe SOC 2 reporting & compliance vs PCI?

soc 2 reporting & compliance vs PCIThis question was asked by an attendee at a recent Proformative SAS 70/SSAE 16 event: Could someone describe SOC 2 vs PCI?


Sam Wholley
Title: Consultant
Company: Frank, Rimerman + Co. LLP
(Consultant, Frank, Rimerman + Co. LLP) |

SOC 2 reports are focused, generally, on the internal controls related to the operating environment of a service provider related to any combination of: Availability, Security, Confidentiality, Processing Integrity, or Confidentiality. PCI focuses, specifically, on the data security of credit card information stored in a facility - it is much more technical, around a much deeper area, of much narrower focus. Many companies have both PCI reports and SAS 70 reports, depending on the service they provide, because the control assertions scoped in the SOC 2 report would not necessarily satisfy PCI, and vice-versa. For example, various types of penetration assessments, encryption, masking, and other areas are covered in PCI which are not necessairily covered in SOC 2. If you are not storing credit card information on-site, PCI may be overkill for you - if you would like to discuss the specifics around this, please feel free to send me a message.


Get Free Membership

By signing up, you will receive emails from Proformative regarding Proformative programs, events, community news and activity. You can withdraw your consent at any time. Contact Us.

Business Exchange

Browse the Business Exchange to find information, resources and peer reviews to help you select the right solution for your business.

Learn more

Contribute to Community

If you’re interested in learning more about contributing to your Proformative community, we have many ways for you to get involved. Please email [email protected] to learn more about becoming a speaker or contributing to the blogs/Q&A Forum.