How to Gain Efficiencies When Adding PCI DSS to Your SSAE 16 or SOC 2 Report

By: Lori Crooks, Managing Consultant at A-LIGN

If you process, store or transmit credit card data and already have a SSAE 16 or SOC 2 report, you might be considering adding on a PCI DSS assessment – and it isn’t as painful as you may think! There are controls, such as physical security, logical access, security awareness and human resource functions where there is significant overlap between the controls in the standards. If the testing time periods are aligned, the auditor testing the SSAE 16 or SOC 2 controls can also test for the same areas for the PCI DSS Report on Compliance. Let’s take a look at these overlapping functions a little closer.

  • Physical Security – The SSAE 16, SOC 2 and PCI DSS audits each test to ensure that physical controls are in place. For example, visitors are checked in and escorted, badges are issued and managed, and cameras are in place and monitored.
  • Logical Access – Logical access controls are tested for each report to ensure that authorized individuals gain access to information appropriate for their job function. This would include assigning a user ID and password, periodically ensuring that access is still appropriate and then disabling access when the user no longer needs it or is terminated. Managing the password parameters for the various systems can also be tested once for all of the reports.
  • Security Awareness – Security awareness training should be provided to employees and is tested as part of the audits.  As part of the onboarding process, new hires should be trained on basic security requirements, such as protecting their password, not allowing tailgating, etc. This training should also be conducted at least once a year throughout the organization.
  • Human Resources Functions – Basic human resources functions, such as onboarding, terminations, and conducting disciplinary actions are all processes that can be tested once for all of the reports.

In order to gain additional efficiencies in these control areas, the testing period for each of the reports should be close together. It is important to ensure that the auditor only pulls one sample for the entire testing period and uses the same sample for all reports. Also to gain efficiencies in our testing, we use the same audit team to perform both the SSAE 16 or SOC 2 and PCI DSS testing. By doing this, you don’t have to train new team members or schedule multiple visits and can reduce the time the audit team would need to take away from your daily activities.

If you are thinking about adding a PCI DSS assessment to your SSAE 16 or SOC 2 report, an efficient test plan can be implemented to minimize the impact of the audit on your team and reduce the overall audit fees. Please contact us for further details on how we can assist with your compliance and audit requirements.