If your organization is required to be SAS 70 compliant along with obtaining a PCI DSS assessment, then it’s time to think about creating efficiencies of scale when conducting both the audit for SAS 70 and the assessment for PCI compliance.
By no means are there perfect synergies, rather, both the SAS 70 and the PCI DSS can be looked upon for assisting each other in regards to preparing deliverables for auditors. Here’s how it works. Auditors create “prepared by client” (PBC) lists, which are in essence a wide assortment of documents, materials, and other deliverables needed for an audit and that must be prepared by the client. My advice is why not schedule the PCI DSS assessment before the SAS 70 audit, thus using many of the samples pulled for the PCI DSS audit for the SAS 70 audit, provided the time periods are applicable. Better yet, fieldwork could be conduced in close proximity or even overlapping both the SAS 70 and th PCI DSS assessment. The point to make is this. Compliance audits or assessments (as we’ve been told to call the PCI DSS during training-an “assessment”, not an audit!) generally ask for similar information in some shape or form. Working with an auditor that truly knows both the PCI DSS and the SAS 70 auditing standard will save you alot of time, headaches and money. Though it’s not a 2 for 1, it does create a high level of efficiency which any organization requiring both a SAS 70 and PCI DSS should consider.
To learn more about PCI DSS assessments, visit the official PCI resource center.