SOC 1 – Type 2: Reports covering internal controls over financial reporting systems
These reports, written as per AT-C section 320 (Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting), are specifically intended to meet the needs of entities that use service organizations (user entities) and the CPAs that audit the user entities’ financial statements (user auditors) to assess the effect of the service organization controls on the user entities’ financial statements.
SOC 2 – Type 2: Reports covering Security, Availability, Integrity, Confidentiality, and Privacy
These reports are intended to meet the needs of a broad range of users that require detailed information and assurance about the controls related to the security, availability, and processing integrity of the systems a service organization uses to process users’ data, as well as the confidentiality and privacy of the information processed by these systems. These reports can play a crucial role in:
- The overview of the organization
- Vendor management programs
- Internal corporate governance and risk management processes
- Regulatory oversight
SOC 3 – Public report of Security, Availability, Integrity, Confidentiality, and Privacy controls
These reports are designed to meet the needs of users who need assurance about the controls at a service orgThese are freely-distributed, general-use reports intended to meet the needs of users who require assurance about the controls of a service organization related to security, availability, processing integrity, confidentiality, or privacy, but have no use for all the technicalities of a SOC 2® Report.
PCI – Validation of controls around cardholder data to reduce credit card fraud
Created in 2006 by the Payment Card Industry Security Standards Council, this certification was initially established by the American Express, Discover, JCB, MasterCard, and Visa networks.
The main goal of PCI Compliance is to guarantee the security of sensitive data in financial transactions using cards in virtual environments.
The PCI DSS certification is thus mandatory for all companies that process, store, and share credit and/or debit card data over the internet.