Azure PCI Compliance

Azure PCI Compliance: A Quick Guide for Cloud Users

What Is Azure PCI Compliance?

Azure is Microsoft’s cloud computing platform. It offers many services, such as computing, storage, networking, and analytics. Azure services can help develop and scale new applications and run existing applications in the Azure public cloud.

The Payment Card Industry Data Security Standard (PCI DSS, often shortened to PCI) outlines practices to help prevent fraud by strengthening credit card data security. It is a global information security standard followed by organizations of all sizes.

Any entity accepting payment cards from Visa, American Express, MasterCard, the Japan Credit Bureau (JCB), and Discover must comply with the PCI DSS. Organizations that process, transmit, or store payment and cardholder data must adhere to PCI DSS regulations.

This is part of a series of articles about PCI compliance.

In this article:

PCI Compliance in the Cloud

Cloud providers operate under the shared responsibility model, which means both the provider and customer must achieve compliance for certain aspects. This model makes cloud PCI compliance a complex endeavor for many organizations.

Cloud providers

The cloud provider must meet basic PCI compliance rules to ensure physical security for their data centers and regularly audit the backend infrastructure for security issues. Most cloud providers meet these requirements.

Cloud users

The bulk of the responsibility for PCI compliance lies with the organization using the cloud. Many organizations use automation to implement and assess PCI controls in the cloud environment. Automation helps achieve continuous visibility into compliance and maintain compliance without disrupting productivity.

Here are common controls cloud users implement:

  • Network controls such as intrusion detection and firewalls, which you can implement through third-party solutions.
  • Most cloud vendors offer security controls such as encryption as a native feature. Cloud-native controls seamlessly integrate into the cloud environment.

The major cloud vendors provide automated tools that help continuously validate that your PCI controls are in place. These tools can also notify when a control is removed.

Azure and PCI DSS

Microsoft Azure has PCI DSS compliance certification (service provider level 1). It uses a qualified security assessor (QSA) to maintain its PCI DSS validation. The QSA’s Attestation of Compliance (AOC) is publicly available for download.

You can rely on Azure PCI DSS validation if your organization is building a card processing service or cardholder data environment. Leveraging Azure’s compliance allows you to reduce the costs and effort of maintaining a separate PCI DSS validation for your company.

However, Azure’s PCI compliance status does not necessarily imply PCI DSS validation for all services built or hosted on Azure. You are responsible for implementing the PCI DSS requirements and ensuring compliance. Azure offers resources that help organizations meet their PCI compliance obligations:

  • Azure PCI DSS Shared Responsibility Matrix – Defines the responsibilities for all PCI DSS requirements, specifying whether responsibility lies with Azure, the organization, or both (shared responsibility).
  • Azure Policy – Helps enforce your organization’s data security standards and assess compliance across the organization. It offers a built-in regulatory compliance initiative that maps to PCI DSS controls and compliance domains. It defines built-in initiatives and lists domains and controls based on the responsibility model.

Azure PCI DSS Blueprint

The first thing you might do to implement a PCI DSS compliance strategy in Azure is to review the information provided by the Payment Card Industry Security Standards Council (SSC).

For example, the PCI DSS Quick Reference Guide is useful for organizations that process credit card data, such as merchants. It provides detailed information about the PCI DSS compliance requirements and helps explain how the standards help protect the payment card transaction environment.

The PCI DSS consists of 12 requirements. The following practices should help you ensure PCI compliance in Azure.

Objective Meeting PCI Requirements in Azure
Building and maintaining secure networks and systems Requirement 1 – Install and maintain firewall configurations that protect payment card data.
Requirement 2 – Avoid vendor defaults for passwords and other system security controls.
Protecting cardholder data Requirement 3 – Implement protection measures for cardholder data in storage.
Requirement 4 – Encrypt data in transit over open networks like the Internet.
Implementing a vulnerability management strategy Requirement 5 – Implement antivirus and anti-malware software across all systems and ensure regular updates.
Requirement 6 – Build and maintain secure applications and systems.
Enforcing strong access control Requirement 7 – Limit access to cardholder data on a need-to-know basis.
Requirement 8 – Use identification and authentication to control access to all system components.
Requirement 9 – Limit physical access to stored data.
Monitoring and testing the network Requirement 10 – Regularly monitor and track all access to cardholder data and network resources.
Requirement 11 – Regularly evaluate security processes and systems.
Maintaining an information security policy Requirement 12 – Maintain a policy that covers data security for all persons.

Azure also offers a free service, Blueprints, for defining repeatable sets of Azure resources to help enforce compliance with PCI standards and requirements. Azure Blueprints lets customers configure Azure environments with compliance governance and the scalability to support large migration projects and production implementations.

For example, the PCI-DSS v3.2.1 blueprint offers mappings to the following PCI DSS controls:

  • Separation of duties – Manages permissions for the subscription owner.
  • Network access – Uses role-based access control (RBAC) to determine who can access each Azure resource.
  • User authentication data management – Audits accounts without multi-factor authentication (MFA).
  • User access privilege reviews – Audits accounts that require review, such as external or deprecated accounts with high-level access permissions.
  • Modifying and deleting access privileges – Audits deprecated accounts with subscription owner-level access permissions.
  • Secure login – Audits accounts without MFA enabled.
  • Password management – Enforces strong password security measures.
  • Cryptographic control policy – Enforces cryptographic controls and audits the use of weaker cryptographic configurations.
  • Operator and event logs – Provides diagnostics and insights into operations performed using Azure resources.
  • Administrator logs – Ensures logging of administrative (system) events.
  • Technical vulnerability management – Monitors operating system, SQL, and virtual machine (VM) vulnerabilities and identifies missing updates in the Azure security center.
  • Network controls – Controls and monitors networks and network security groups to ensure restrictive rules.
  • Data transfer policies – Ensures all data transfers in Azure services are secure.

Azure PCI Compliance with Calico

Calico supports major compliance standards including PCI DSS, HIPAA, GDPR, SOC 2, CCPA, and any custom frameworks. Calico Cloud provides Microsoft users with the following features to address compliance requirements:

  • Continuous compliance – Monitor and log changes to security policies based on your organization’s time-based requirements. Maintain your security posture to meet PCI compliance requirements.
  • Compliance reports – Define customer compliance reports and run reports on demand to provide proof of compliance.
  • Policy implementation – Create policies that are Kubernetes-native and based on metadata and labels instead of IP addresses.
  • CIS Benchmark reports – Get out-of-the-box CIS benchmark compliance reports. Use the GlobalReport resource to schedule reports and set compliance thresholds.

Next steps:

Join our mailing list​

Get updates on blog posts, workshops, certification programs, new releases, and more!