IBM Cloud Renews and Expands PCI DSS Compliance for VPC Offerings

IBM Cloud VPC services have been renewed and expanded against the Payment Card Industry Data Security Standard (PCI DSS) standard (v3.2.1) for all global MZR data centers.

IBM Cloud completed the annual Payment Card Industry Data Security Standard PCI DSS assessment using an approved Qualified Security Assessor (QSA), and the resulting Attestation of Compliance (AOC) and Service Responsibility Matrix (SRM) guide is available upon client request.

Organizations looking to store, transmit or process cardholder data can use IBM Cloud services that have been assessed for PCI DSS compliance. A broad set of IBM Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) offerings have also been assessed for PCI DSS, as detailed on IBM.com. 

Clients may leverage IBM Cloud services in a shared responsibility model to store, process and transmit cardholder data and use these services to create cardholder data environments (CDEs). Clients may request and use the IBM Cloud AOCs and SRM guides when seeking to develop these application environments and obtain their own PCI DSS certifications. It is the responsibility of the client to document and operate CDEs and applications built using IBM Cloud services in a PCI DSS-compliant manner. 

Assessed services

The QSA reviewed the in-scope IBM Virtual Private Cloud (VPC) services for compliance under PCI DSS version 3.2.1 as a Level 1 Service Provider. Adding to the compliant IBM Cloud IaaS, PaaS and VPC services previously assessed under the PCI DSS are the following:

• IBM Cloud Backup for VPC
• IBM Cloud Bare Metal Servers for VPC (including SAP)
• IBM Cloud Direct Link Connect (2.0)
• IBM Direct Link Dedicated (2.0)
• IBM Cloud DNS Services
• IBM Cloud Secrets Manager
• IBM Cloud Transit Gateway
• IBM Cloud VPN for VPC – Client-to-Site server

The previously assessed and renewed services include the following:

• IBM Cloud Block Storage for Virtual Private Cloud
• IBM Cloud Block Storage Snapshots for VPC
• IBM Cloud Flow Logs for VPC
• IBM Cloud Load Balancer for VPC
• IBM Cloud Virtual Private Endpoint for VPC
• IBM Cloud Virtual Private Cloud – Load Balancer for VPC: Application Load Balancer and Network Load Balancer
• IBM Cloud Virtual Private Cloud – VPN for VPC – Site-to-Site gateway
• IBM Cloud Virtual Server for VPC
• IBM Cloud Virtual Server for VPC - Auto Scale for VPC
• IBM Cloud Virtual Server for VPC - Dedicated Host for VPC

Learn more

• PCI Overview on the PCI web site: PCI Security Standards Council
• More information about PCI DSS and IBM Cloud services