Compliance certifications
IBM Power Virtual Server located in IBM data centers: Off-premises
The Power Virtual Server provides programs and certifications that help you establish and strengthen compliance for a wide range of internationally recognized standards.
Financial Services® Validated
IBM designates IBM Cloud services as IBM Cloud for Financial Services Validated when the services are determined to materially implement the IBM Cloud framework for financial services control requirements.
For more information and the list of validated IBM Cloud services, see IBM Cloud® for Financial Services®.
SOC
The System and Organization Controls (SOC) framework, developed by the American Institute of Certified Public Accountants (AICPA), is a standard for controls that protect information that is stored in the cloud. Certified public accountants (CPAs) audit cloud service providers (CSPs), resulting in internal control reports on the services provided by a service organization. SOC reports can help users assess and address the risks that are associated with an outsourced service.
SOC 1 is an audit of the internal controls at a service organization that is implemented to protect client-owned data involved in client financial reporting. SOC 1 audits and reports are based on the Statement on Standards for Attestation Engagements (SSAE 18) and the International Standards for Assurance Engagements No. 3402 (ISAE 3402).
Contact an IBM representative to request the IBM public cloud (infrastructure, VPC, and PaaS) SOC reports.
The following SOC reports are available for Power Virtual Server:
- SOC 1 Type II
- SOC 2 Type II
ISO 27017:2015
The International Organization for Standardization (ISO) is an independent, non-governmental organization with a membership of 164 national standards bodies. ISO develops international standards that are voluntary, consensus-based, and market relevant. The goal is to ensure that products and services are safe, reliable and of good quality.
The Power Virtual Server provides services that are delivered from global data centers that are a component of the IBM Cloud™ IaaS ISO certification. The ISO certification covers a family of 4 standards as follows:
- ISO/IEC 27001:2013
- ISO/IEC 27017:2015
- ISO/IEC 27018:2019
- ISO/IEC 27701:2019
For more information, see ISO 27017 - IBM Cloud infrastructure certificate and Products in the scope of the IBM services information security management system (ISMS)..
PCI-DSS
To ensure consistent standards for merchants, the Payment Card Industry Security Standards Council established the Payment Card Industry (PCI) data security standards. These standards incorporate best practices to protect cardholder data, and they often require validation from a third-party Qualified Service Assessor (QSA). IBM is a Level 1 Service Provider for PCI DSS.
You are responsible for the storing, processing, and transmission of cardholder data and might create cardholder data environments (CDEs) that can store, transmit, or process cardholder data by using IBM Cloud Platform services. You can use the IBM Cloud Attestation of Compliance (AOC) when you seek your own PCI DSS certifications. It is your responsibility to document and operate CDEs and applications that are built by using IBM Cloud Platform services in a PCI DSS-compliant manner.
Contact an IBM representative to request a PCI DSS Attestation of Compliance (AOC) or a Service Responsibility Matrix (SRM) guide for Power Virtual Server.
You can build PCI-DSS compliant environments and applications by using IBM Cloud. For more information, see IBM Cloud PCI DSS Guidance.
HIPAA
The US Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act define standards for handling electronic healthcare transactions and information. Power Virtual Server on IBM Cloud is HIPAA-ready. You can build HIPAA-ready environments and applications by using Power Virtual Server. For more information, see the IBM Cloud® compliance: HIPAA.
If your company is a covered entity as defined by HIPAA, you must enable the HIPAA Supported setting if you run sensitive workloads that are regulated under HIPAA and the HITECH Act. By using this setting, you can filter on HIPAA Enabled services in the catalog, indicate to IBM that your account stores protected health information (PHI), and digitally accept the IBM Business Associate Addendum for covered entities. For more information, see Enabling HIPAA support for your account.