Azure is Microsoft’s cloud computing platform. It offers many services, such as computing, storage, networking, and analytics. Azure services can help develop and scale new applications and run existing applications in the Azure public cloud.
The Payment Card Industry Data Security Standard (PCI DSS, often shortened to PCI) outlines practices to help prevent fraud by strengthening credit card data security. It is a global information security standard followed by organizations of all sizes.
Any entity accepting payment cards from Visa, American Express, MasterCard, the Japan Credit Bureau (JCB), and Discover must comply with the PCI DSS. Organizations that process, transmit, or store payment and cardholder data must adhere to PCI DSS regulations.
This is part of a series of articles about PCI compliance.
In this article:
Cloud providers operate under the shared responsibility model, which means both the provider and customer must achieve compliance for certain aspects. This model makes cloud PCI compliance a complex endeavor for many organizations.
Cloud providers
The cloud provider must meet basic PCI compliance rules to ensure physical security for their data centers and regularly audit the backend infrastructure for security issues. Most cloud providers meet these requirements.
Cloud users
The bulk of the responsibility for PCI compliance lies with the organization using the cloud. Many organizations use automation to implement and assess PCI controls in the cloud environment. Automation helps achieve continuous visibility into compliance and maintain compliance without disrupting productivity.
Here are common controls cloud users implement:
The major cloud vendors provide automated tools that help continuously validate that your PCI controls are in place. These tools can also notify when a control is removed.
Microsoft Azure has PCI DSS compliance certification (service provider level 1). It uses a qualified security assessor (QSA) to maintain its PCI DSS validation. The QSA’s Attestation of Compliance (AOC) is publicly available for download.
You can rely on Azure PCI DSS validation if your organization is building a card processing service or cardholder data environment. Leveraging Azure’s compliance allows you to reduce the costs and effort of maintaining a separate PCI DSS validation for your company.
However, Azure’s PCI compliance status does not necessarily imply PCI DSS validation for all services built or hosted on Azure. You are responsible for implementing the PCI DSS requirements and ensuring compliance. Azure offers resources that help organizations meet their PCI compliance obligations:
The first thing you might do to implement a PCI DSS compliance strategy in Azure is to review the information provided by the Payment Card Industry Security Standards Council (SSC).
For example, the PCI DSS Quick Reference Guide is useful for organizations that process credit card data, such as merchants. It provides detailed information about the PCI DSS compliance requirements and helps explain how the standards help protect the payment card transaction environment.
The PCI DSS consists of 12 requirements. The following practices should help you ensure PCI compliance in Azure.
Objective | Meeting PCI Requirements in Azure |
Building and maintaining secure networks and systems | Requirement 1 – Install and maintain firewall configurations that protect payment card data. Requirement 2 – Avoid vendor defaults for passwords and other system security controls. |
Protecting cardholder data | Requirement 3 – Implement protection measures for cardholder data in storage. Requirement 4 – Encrypt data in transit over open networks like the Internet. |
Implementing a vulnerability management strategy | Requirement 5 – Implement antivirus and anti-malware software across all systems and ensure regular updates. Requirement 6 – Build and maintain secure applications and systems. |
Enforcing strong access control | Requirement 7 – Limit access to cardholder data on a need-to-know basis. Requirement 8 – Use identification and authentication to control access to all system components. Requirement 9 – Limit physical access to stored data. |
Monitoring and testing the network | Requirement 10 – Regularly monitor and track all access to cardholder data and network resources. Requirement 11 – Regularly evaluate security processes and systems. |
Maintaining an information security policy | Requirement 12 – Maintain a policy that covers data security for all persons. |
Azure also offers a free service, Blueprints, for defining repeatable sets of Azure resources to help enforce compliance with PCI standards and requirements. Azure Blueprints lets customers configure Azure environments with compliance governance and the scalability to support large migration projects and production implementations.
For example, the PCI-DSS v3.2.1 blueprint offers mappings to the following PCI DSS controls:
Calico supports major compliance standards including PCI DSS, HIPAA, GDPR, SOC 2, CCPA, and any custom frameworks. Calico Cloud provides Microsoft users with the following features to address compliance requirements:
Next steps: