IBM public cloud has expanded its security and compliance posture.

IBM Cloud Virtual Private Cloud (VPC) offerings are now audited against the Payment Card Industry Data Security Standard (PCI DSS) and the American Institute of Certified Public Accountants (AICPA) System and Organization Controls (SOC) framework.

VPC offerings now compliant with PCI DSS

IBM Cloud VPC offerings are compliant with PCI DSS version 3.2.1 at Service Provider Level 1. The Attestation of Compliance (AOC) from an approved Qualified Security Assessor (QSA) is available upon client request, as well as a Service Responsibility Matrix guide from IBM.

With IBM Cloud VPC, IBM clients can build, deploy and operate a payment processing system and cardholder data environment (CDE) to properly handle credit card data. Clients must independently analyze their environments and use cases in order to verify that their own control environment meets the requirements set forth by the PCI Security Standards Council (SSC). A client’s QSA can determine the appropriate division of responsibilities for operating on IBM Cloud. 

SOC reports now available for VPC Offerings

The AICPA developed the System and Organization Controls (SOC) to assess, address and report on the risk associated with an outsourced service:

  • SOC 1: As defined by the AICPA, a SOC 1 report details “Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (ICFR). These reports, prepared in accordance with AT-C section 320, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting, are specifically intended to meet the needs of entities that use service organizations (user entities) and the CPAs that audit the user entities’ financial statements (user auditors), in evaluating the effect of the controls at the service organization on the user entities’ financial statements.” IBM Cloud SOC 1 audits also include audit for the International Standards for Assurance Engagements No. 3402 (ISAE 3402). The IBM Cloud VPC SOC 1 Type 2 report is available upon request.
  • SOC 2: SOC 2 audits produce reports based on the AICPA Trust Service Principles and Criteria, defined as “intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.” The IBM Cloud VPC SOC 2 Type 2 report for security and availability principles and controls is available upon request.
  • SOC 3: These reports are “designed to meet the needs of users who need assurance about the controls at a service organization relevant to security, availability, processing integrity confidentiality, or privacy, but do not have the need for or the knowledge necessary to make effective use of a SOC 2 Report”. The IBM Cloud VPC SOC 3 report is published and generally available.

VPC offerings in scope for PCI DSS and SOC 1/2/3 compliance

Learn more

More from Announcements

IBM Hybrid Cloud Mesh and Red Hat Service Interconnect: A new era of app-centric connectivity 

2 min read - To meet customer demands, applications are expected to be performing at their best at all times. Simultaneously, applications need to be flexible and cost effective, and therefore supported by an underlying infrastructure that is equally reliant, performant and secure as the applications themselves.   Easier said than done. According to EMA's 2024 Network Management Megatrends report only 42% of responding IT professionals would rate their network operations as successful.   In this era of hyper-distributed infrastructure where our users, apps, and data…

IBM named a Leader in Gartner Magic Quadrant for SIEM, for the 14th consecutive time

3 min read - Security operations is getting more complex and inefficient with too many tools, too much data and simply too much to do. According to a study done by IBM, SOC team members are only able to handle half of the alerts that they should be reviewing in a typical workday. This potentially leads to missing the important alerts that are critical to an organization's security. Thus, choosing the right SIEM solution can be transformative for security teams, helping them manage alerts…

IBM and MuleSoft expand global relationship to accelerate modernization on IBM Power 

2 min read - As companies undergo digital transformation, they rely on APIs as the backbone for providing new services and customer experiences. While APIs can simplify application development and deliver integrated solutions, IT shops must have a robust solution to effectively manage and govern them to ensure that response times and costs are kept low for all applications. Many customers use Salesforce’s MuleSoft, named a leader by Gartner® in full lifecycle API management for seven consecutive times, to manage and secure APIs across…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters