IBM public cloud has expanded its security and compliance posture.

IBM Cloud Virtual Private Cloud (VPC) offerings are now audited against the Payment Card Industry Data Security Standard (PCI DSS) and the American Institute of Certified Public Accountants (AICPA) System and Organization Controls (SOC) framework.

VPC offerings now compliant with PCI DSS

IBM Cloud VPC offerings are compliant with PCI DSS version 3.2.1 at Service Provider Level 1. The Attestation of Compliance (AOC) from an approved Qualified Security Assessor (QSA) is available upon client request, as well as a Service Responsibility Matrix guide from IBM.

With IBM Cloud VPC, IBM clients can build, deploy and operate a payment processing system and cardholder data environment (CDE) to properly handle credit card data. Clients must independently analyze their environments and use cases in order to verify that their own control environment meets the requirements set forth by the PCI Security Standards Council (SSC). A client’s QSA can determine the appropriate division of responsibilities for operating on IBM Cloud. 

SOC reports now available for VPC Offerings

The AICPA developed the System and Organization Controls (SOC) to assess, address and report on the risk associated with an outsourced service:

• SOC 1: As defined by the AICPA, a SOC 1 report details “Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (ICFR). These reports, prepared in accordance with AT-C section 320, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting, are specifically intended to meet the needs of entities that use service organizations (user entities) and the CPAs that audit the user entities’ financial statements (user auditors), in evaluating the effect of the controls at the service organization on the user entities’ financial statements.” IBM Cloud SOC 1 audits also include audit for the International Standards for Assurance Engagements No. 3402 (ISAE 3402). The IBM Cloud VPC SOC 1 Type 2 report is available upon request.
• SOC 2: SOC 2 audits produce reports based on the AICPA Trust Service Principles and Criteria, defined as “intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.” The IBM Cloud VPC SOC 2 Type 2 report for security and availability principles and controls is available upon request.
• SOC 3: These reports are “designed to meet the needs of users who need assurance about the controls at a service organization relevant to security, availability, processing integrity confidentiality, or privacy, but do not have the need for or the knowledge necessary to make effective use of a SOC 2 Report”. The IBM Cloud VPC SOC 3 report is published and generally available.

VPC offerings in scope for PCI DSS and SOC 1/2/3 compliance

• IBM Cloud Block Storage for Virtual Private Cloud
• IBM Cloud Flow Logs for VPC
• IBM Cloud Virtual Private Cloud (including Load Balancer for VPC and VPN for VPC)
• IBM Cloud Virtual Server for VPC (including Auto Scale for VPC and Dedicated Host for VPC)
• IBM Cloud Virtual Private Endpoint for VPC

Learn more

• See a full list of PCI DSS-ready IBM’s public cloud services and options to request a PCI DSS AOC and SRM guide.
• See a full list of IBM’s public cloud services, published SOC 3 reports and options to request SOC 1 and SOC 2 reports.