Answer eight questions about your business and instantly see which compliance frameworks likely apply to you, from SOC 2 and PCI DSS to GDPR and FedRAMP. Once you know which frameworks apply, the harder problem is actually achieving readiness — that's where FinSec Scorecard comes in for fintech teams on AWS.
Tell us about your business and we will show you which compliance frameworks are required, recommended, or worth watching, with a brief explanation for each.
Everything runs in your browser. No data is sent anywhere. Once you know which frameworks apply, the harder problem is achieving readiness — FinSec Scorecard covers PCI DSS and SOC 2 readiness for fintech teams on AWS.
This tool provides a starting point for understanding which compliance frameworks may be relevant to your organization. It uses simplified heuristics based on common applicability criteria. Every business is different, engage qualified legal or compliance counsel before committing to a specific framework or making compliance claims. The results here do not constitute legal, regulatory, or professional advice.
Once you know which frameworks apply, the harder work is actually achieving readiness. FinSec Scorecard helps small fintech teams assess PCI DSS and SOC 2 readiness across AWS infrastructure.
Try FinSec Scorecard →CompliQuiz used to live as a paid framework-discovery quiz. It is shut down. The reason is a useful lesson for builders thinking about awareness vs. execution problems.
Read postmortem →It depends on three things: your industry, the data you handle, and where your customers are. A B2B SaaS selling to enterprises almost always needs SOC 2. Anyone touching card payments needs PCI DSS. Healthcare in the US means HIPAA. EU users mean GDPR. This tool asks eight questions and maps your answers to the frameworks that apply.
Not by law, SOC 2 is voluntary. You need it when enterprise buyers start asking for it in security questionnaires. That usually happens around your first real enterprise deal or when ACVs move above ~$25k. Start with a Type 1 report (point-in-time), then a Type 2 (six to twelve months) once you're past the first audit cycle.
The moment you store, process, or transmit cardholder data. If you use Stripe Checkout or a hosted payment iframe, you're typically in scope for SAQ A (the lightest tier). If card data ever touches your servers, you're in a much heavier tier. The scope question matters more than the volume question, offload processing to a provider and your PCI burden drops dramatically.
Yes, if you have users in the EU or UK, or if you monitor EU residents' behavior (analytics, ad targeting). Location of your company doesn't matter, location of the data subject does. Minimum you need: a lawful basis for processing, a privacy notice, a way to handle data subject requests, and a Data Processing Agreement with every sub-processor.
SOC 2 is a US-led attestation focused on service organization controls against five trust principles. ISO 27001 is an international certification for an Information Security Management System (ISMS). US buyers usually ask for SOC 2; European and APAC buyers often prefer ISO 27001. Many companies eventually do both because 70, 80% of the controls overlap.
Identifying the framework is the easy part. The hard part is mapping controls, closing gaps, and producing audit-ready evidence without burning a quarter on it. For fintech teams on AWS, FinSec Scorecard walks through PCI DSS and SOC 2 readiness control by control, so you know exactly where you stand before you start writing checks to consultants.