PCI DSS and SOC 2 are two of the most widely used cybersecurity frameworks for businesses, and they are surprisingly compatible. You can save valuable time and resources by understanding how these frameworks intersect.
Check out the video below to hear directly from Strike Graph CEO Justin Beal and Director of Sales Engineering Sam Oberholtzer about the benefits of tackling PCI DSS and SOC 2 together. Or, read on for highlights!
SummaryJustin: So our first question - this is going to be a lot of fun. I'm the questioner. You are the expert today. What is PCI DSS? We could just start there with a big overview.
Sam: Of course. Don't want to bore everyone too much, but at least it's exciting for the folks who may not know that they actually need to be compliant with this. So just starting off, PCI DSS stands for Payment Card Industry Data Security Standard, and this is a type of audit that an independent body or a qualified assessor will actually come in and assess against the standard. And so really there's a council called Security Standards Council, that is actually the ones that enforce the standard, but really the big payment credit card companies, Visa, MasterCard, American Express, Discover, and JCB are actually the ones that have to enforce it.
Justin: Oh, I see. So if essentially let's say that I have a tech startup or, I have an online platform. We want to process credit cards. You're not going to be able to store, submit, get Visa to pay you back, run a transaction without compliance against this standard. Is that right?
Sam: So actually you technically are still going to be allowed to process card holders’ data. However, it's up to those five big crack card companies to actually perform audits and investigations. So we'll definitely dive into the fines later, but I thought that was super interesting, that the council is not actually required to do so, but the banks themselves are allowed to and should do that.
Justin: Absolutely. Yeah. So tell me a little bit, a lot of our customers are looking for SOC 2 reports. That's the general security compliance standard that I think a lot of people in North America have gravitated towards. What's the difference between PCI DSS and SOC 2, and if I did SOC 2, how far away might I be from PCI DSS?
Sam: Yeah, absolutely. So PCI pretty much includes all of SOC 2. Of course, I will say I do have to do a disclaimer, even though when I was on the audit side, the systems overlapped. So PCI would take all of SOC 2, and then additional systems that collected the payment and credit card information. So that's why I say typically PCI will include SOC 2, because SOC 2, as we may know, really derives around the systems and the services that the company provides.
Justin: Got you.
Sam: While PCI is really highlighting the payment systems. Payment processing systems, card holder data systems. However you may call it. And a lot of the time it is including the SOC 2 systems. And so-
Justin: Go ahead, Sam.
Sam: And I was going to say, and so typically there's about a 60% overlap. And so PCI just has an additional 40% depending on the services of the company.
Justin: Okay. That's super helpful. What we love about this, and something we of course have built into the intelligence in our platform, is that activities that you might be doing for SOC 2 that are applicable to the standard like PCI DSS, are essentially mapped to both standards. And so you're able to take advantage of work on one for work on the other. That's super helpful. …
Justin: I think the one that I always worry about is if you are going to be running these types of financial transactions, there's just so little room for error. And I think that while it's great to minimize, look, we all want to minimize the amount of compliance we have to go through. That is a given. At the same time it always makes me nervous when you're working in situations where every transaction has to be perfect. And so I do think if I were doing this, I might look through the SOC 2 portion of the standard for processing integrity.
Justin: And also probably wrap that into what I'm thinking and broadly to say like, "Do I have some controls around processing integrity, and error checking around processing integrity, so that I'm sure that these transactions are processed in the correct way." And then you get into financial controls too.
Sam: Exactly.
For businesses large and small, keeping customer credit card info safe is a must. Data breaches lose customers’ trust and can result in heavy penalties, too. That’s where PCI DSS comes in. PCI DSS — the Payment Card Industry Data Security Standard — is a cybersecurity framework that is dedicated to the security of credit card data and transactions.
There are four PCI DSS levels of compliance, depending on the amount of transactions per year for a business. The ranges for each level go from under 20,000 transactions to over 6 million, meaning that there is an appropriately sized audit for differently sized companies. Whether you are a tech startup or a large online platform, if you process card transactions, you need to be PCI DSS compliant.
PCI DSS is highly compatible with SOC 2, another common security framework that focuses on the integrity of business systems and processes. A SOC 2 attestation — sometimes commonly thought of as certification — is often a company’s first step into the world of security compliance. PCI DSS builds on the controls established for SOC 2 by addressing payment and cardholder data systems.
Fortunately, there is substantial overlap between SOC 2 and PCI DSS requirements — roughly 60% of the requirements between the two frameworks are identical and can be achieved with the same evidence and controls. PCI DSS requires an estimated additional 40% of requirements, depending on the services of the company.
That means that once a business has achieved SOC 2 compliance, it has already met over half of the needs for a PCI DSS!
For any business that has already achieved SOC 2, this overlap should cause a sign of relief — you’ve already done much of the heavy lifting for PCI DSS. For businesses only trying to achieve PCI DSS, knowing that SOC 2 compliance will come along with the process is a significant bonus.
If your company is considering SOC 2, PCI DSS, or both, Strike Graph is ready to help you on your journey. Strike Graph can leverage your controls and evidence across multiple frameworks. This allows you to do the work once and apply it across different standards, saving you valuable time and resources.