IBM Cloud continues to expand compliance for Infrastructure- and Platform-as-a-Service (IaaS and PaaS) offerings with the Payment Card Industry Data Security Standard (PCI DSS).
The PCI DSS was developed to encourage and enhance cardholder data security and facilitate the global adoption of consistent data security measures. The PCI DSS provides a baseline of technical and operational requirements designed to protect account data, including card number, expiration date, and verification data.
IBM Cloud Platform completes annual PCI DSS assessments using an approved Qualified Security Assessor (QSA), and the resulting Attestations of Compliance (AOCs) are available upon client request. Auditors review in-scope IBM Cloud Infrastructure and PaaS services for compliance under PCI DSS version 3.2.1 at Service Provider Level 1.
Clients are responsible for the storing, processing, and transmission of their cardholder data and may create cardholder data environments (CDEs) that can store, transmit, or process cardholder data using IBM Cloud Platform services. Clients can use the IBM Cloud AOCs when seeking their own PCI DSS certifications. It is the responsibility of the client to document and operate CDEs and applications built using IBM Cloud Platform services in a PCI DSS-compliant manner.
Adding to the compliant IBM Cloud Infrastructure and PaaS services previously assessed under the PCI DSS are the following:
- IBM Cloud Certificate Manager
- IBM Cloud Foundry Enterprise Environment
- IBM Event Streams for IBM Cloud Enterprise
- IBM Key Protect for IBM Cloud
A full list of PCI DSS-ready IBM Cloud Platform services and options to request a PCI DSS Attestation of Compliance (AOC) can be found at here.