Compliance: Does Your Provider Have the Certifications It Claims?

PCI DSS compliance logo from:
Have you checked your provider's certificates lately?

Does that certificate reproduction or seal highlighted on a website or brochure accurately reflect that a data center operator, cloud services firm, or other provider possesses the certification that they profess to possess?

Has a CPA firm or other qualified entity issued a certificate that the provider meets all the requirements of a standard required within an industry or by a governmental regulating body?

And if you’re a current customer, and that answer was proven to your satisfaction during the sales process, does the provider still possess the necessary certification?  Providers lose their certification all the time and some have been known to not inform customers of the change in status.

Interestingly, you are likely to find companies that are claiming certifications and the achievement of compliance standards that do not appear on authoritative lists of compliant providers.

Sources for verification include:

PCI-DSS for payment card processing: 

FedRamp for government cloud computing:

LEED (Leadership in Energy and Environmental Design)

Uptime Institute for data center availability:

Note that as of September, 2015, Uptime Institute no longer issues new tier certifications (previously Tier I through Tier IV for data center operators) due to so many data center builders and providers claiming tier status without actually getting certified by Uptime, a process that is not only expensive but far from a rubber stamp.

When it comes to compliance, trust but verify is a best practice to follow.   And if compliance is important to you, having a knowledgeable auditor periodically reviewing your compliance stance on your behalf is advisable.

Resource:  A podcast conducting a deeper dive on these issues with compliance expert Dan Schroeder can be heard here.