PCI Compliance can be daunting for new merchants or service providers. The PCI-DSS contains 12 requirements, with 412 sub-requirements and sub-sub-requirements covering over 115 pages. It begs the question, "Where do I start?"
PCI Compliance can be daunting for new merchants or service providers. The PCI-DSS contains 12 requirements, with 412 sub-requirements and sub-sub-requirements covering over 115 pages. It begs the question, "Where do I start?"
Fortunately, the Security Standards Council offers a roadmap for navigating the road to PCI Compliance called the PCI Prioritized Approach. This approach lays out the DSS requirements as a set of 6 milestones to attaining compliance. In this series, we will take a look at the 6 milestones and how to apply them to your business operations.
An organization may choose a combined SOC 1, SOC 2, and PCI audit for many reasons. First, there are compliance requirements. A PCI audit may be mandatory, but too narrow of a scope to be useful to user entities, so a SOC 1 or SOC 2 is needed. Second, there are logistical reasons. If you have to go through all three audits, why not consolidate the effort into one process? Combining three audits into one process can also be a more cost-effective option. In any case, it’s important for organizations to know that a combined SOC 1, SOC 2, and PCI audit is an accessible, effective option – you just need to know what organizations are authorized to perform one.
Explaining SOC 1, SOC 2, and PCI Audits
What does a SOC 1 audit assess? A SOC 1 audit is an assessment of the internal controls at a service organization which have been implemented to protect client data. SOC 1 audits are performed in accordance with the SSAE 18 standard and report on the effectiveness of internal controls at a service organization that may be relevant to their client’s internal control over financial reporting (ICFR).
A SOC 2 audit is an assessment of the internal controls at a service organization that protect client data, but are not related to ICFR. The SOC 2 audit was designed to determine if service organizations are compliant with the principles of security, availability, processing integrity, confidentiality, and privacy (also known as the Trust Services Criteria). The Trust Services Criteria are the foundation of the SOC 2 audit, just as the SSAE 18 is the basis of a SOC 1 audit.
The PCI DSS was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally, and a PCI audit assesses compliance on this standard. The founding payment brands include Visa, MasterCard, Discover Financial, American Express, and JCB International. The PCI DSS consists of nearly 400 individual controls and is a critical part of staying in business for any merchant, service provider, or subservice provider who is involved in handling cardholder data.
Both SOC 1 and SOC 2 audits must be conducted by a CPA firm, while a PCI audit must be conducted by a QSA. This makes finding a firm that is authorized to perform a combined SOC 1, SOC 2, and PCI audit much more difficult. When deciding on one firm to perform all three assessments, it must be a CPA and QSA firm. We’ve seen many organizations hire a firm that they believe meets these requirements, then later discover that the firm is actually outsourcing one portion – like a CPA firm that doesn’t employ any QSAs, so they must outsource the PCI audit. This type of firm completely negates the organization’s goal of working with one firm for one audit process.
Case Study: CBOSS
Let’s take a look at why CBOSS chose to pursue SOC 1 and SOC 2 attestations plus a PCI RoC. As a full-service payment solution provider, CBOSS offers online payment APIs, hosted payment forms, and POS integrations that must be kept secure in order to secure cardholder data. Complying with the PCI DSS is mandatory for CBOSS – it keeps them in business! But CBOSS has also elected to pursue annual SOC 1 and SOC 2 attestations to give their team, their management, and their clients a holistic view of CBOSS’ compliance efforts. With SOC 1, and SOC 2, and PCI reports available, CBOSS can provide proof that their systems can be trusted and they will deliver secure, available services.
When asked about CBOSS’ combined SOC 1, SOC 2, and PCI audit, Mike Lendvay, Security and Compliance Manager at CBOSS, said, “PCI compliance keeps us in business. The PCI framework is really detailed, but it’s only concerned with cardholder data. Meanwhile, SOC reports are all but mandatory. The SOC audits give a full report of our environment as a whole; everything that we offer to our customers is looked at during SOC audits. That’s why SOC reports are helpful – to have a single document summarizing all the controls that we utilize. It acts as reassurance to us on the operation of our environment, as well as reassurance to our customers.”
Richard Rieben, Lead Practitioner at KirkpatrickPrice, commented, “CBOSS is a great example of what happens when a team of highly-skilled personnel not only understand the frameworks involved in their SOC 1, SOC 2, and PCI assessments, but also understand that security inherently leads to compliance, not the other way around. This commitment to protecting the sensitive data their clients trust them with has yielded a significant return on investment.”
Originally posted on the KirkpatrickPrice blog: https://kirkpatrickprice.com/blog/combining-soc-1-soc-2-and-pci-audits/
Most of the world has transitioned from traditional magnetic stripe credit cards to EMV chip cards, but the U.S. has been slow to adopt this revolutionary technology. In this article, we will explain EMV devices, Point-to-Point encryption, and provide some reasons why your organization should consider migrating to these technologies.
How Can ISVs or Software Companies Benefit From Payment Integrations?
Although we call our product the Central Payment Portal due to its multitude of payment and administrative features, at its core it is a payment gateway. This post will discuss what a payment gateway is, and how using one can benefit your organization
CBOSS strives to be on the forefront of security and compliance, in order to protect the data of our clients and their customers. As the result of ten-plus years of audits, CBOSS has developed a comprehensive set of policies and procedures for managing and securing payment data. These policies, along with dedicated training, ensure the safety of sensitive information. This blog will outline the information that needs protected, as well as some best practices your organization can follow.
Accepting Credit Cards can be an intimidating task for any business, and is bound to come with many questions. In order to help you decide if becoming a credit card merchant is a good fit, we have included some common questions and answered them below. These questions deal with three areas new merchants often have questions about: price, compliance, and e-commerce.