Frequently Asked Question

Can a Qualified Security Assessor (QSA) rely on the results from non PCI DSS assessment (for example, a SOC 2 or SOC 3 audit) for a PCI DSS assessment?

No, due to the variability of scope coverage and assessor validation procedures, a QSA cannot rely on reports from other attestation engagements (like SOC 2 or SOC 3) for a PCI DSS assessment. However, a QSA may be able to use the evidence generated during those assessments for a PCI DSS assessment, but only after independently reviewing the evidence and gaining assurance that:

The scope of the assessment includes the relevant payment environment(s) and payment account data,
What was covered directly maps to PCI DSS requirements,
The evidence is within the timeframe of the PCI DSS assessment and meets any specifics called out in related PCI DSS testing procedures, and
That relevant PCI DSS controls are "in place."

March 2023

Article Number: 1567

Frequently Asked Question

Frequently Asked Question

Can a Qualified Security Assessor (QSA) rely on the results from non PCI DSS assessment (for example, a SOC 2 or SOC 3 audit) for a PCI DSS assessment?

Featured FAQ Articles

Featured

Most Popular

Most Recently Updated

Copyright © 2006 – 2023 PCI Security Standards Council, LLC. All rights reserved. Terms and Conditions.

Frequently Asked Question

Can a Qualified Security Assessor (QSA) rely on the results from non PCI DSS assessment (for example, a SOC 2 or SOC 3 audit) for a PCI DSS assessment?

Related

Featured FAQ Articles

Featured

Most Popular

Most Recently Updated

Copyright © 2006 – 2023 PCI Security Standards Council, LLC. All rights reserved. Terms and Conditions.