The RSI Security web site breaks down the methods in some element, but the process in essence goes like this: The distinction between the different types of SOC audits lies within the scope and duration of the assessment: The PCI SSC has outlined twelve requirements for dealing with cardholder details https://www.nathanlabsadvisory.com/blog/nathan/empowering-businesses-through-comprehensive-cybersecurity-solutions-the-nathan-labs-approach/