SOC2 and PCI are a lot more than running an automated scan. Sure, that's part of it, but both are full-on frameworks that stretch well beyond technical controls and deeply into organizational questions.

The important thing is that they establish enough trust to create basis for shifting liability.