This question was asked by an attendee at a recent Proformative SAS 70/SSAE 16 event: Could someone describe SOC 2 vs PCI?
Could someone describe SOC 2 reporting & compliance vs PCI?
SOC 2 reports are focused, generally, on the internal controls related to the operating environment of a service provider related to any combination of: Availability, Security, Confidentiality, Processing Integrity, or Confidentiality. PCI focuses, specifically, on the data security of credit card information stored in a facility - it is much more technical, around a much deeper area, of much narrower focus. Many companies have both PCI reports and SAS 70 reports, depending on the service they provide, because the control assertions scoped in the SOC 2 report would not necessarily satisfy PCI, and vice-versa. For example, various types of penetration assessments, encryption, masking, and other areas are covered in PCI which are not necessairily covered in SOC 2. If you are not storing credit card information on-site, PCI may be overkill for you - if you would like to discuss the specifics around this, please feel free to send me a message.