none
Azure and PCI Compliance

    Question

  • We are considering the hosting for our next generation of applications and Azure would be our preferred choice but the lack of ability to be able to be PCI compliant seems an incredible drawback. I have trawled the forums and there seems to be some hints that Microsoft had PCI compliance for the hardware and was seeking it for the software stack.  All of these posts are a little out of date, has there been any progress on this issue?

    It is difficult to envision the internet without the ability to take credit card transactions these days so it is a surprise that PCI compliance wasn't considered from the outset.  I can see that some are using the approach of retaining physically securable hardware purely for credit card processing but this does seem to diminish the value of the cloud.

    Any thoughts? Without this it looks like we are back to colocation and physical hardware which we had hoped to be able to leave behind.

    Tuesday, February 26, 2013 7:36 PM

Answers

All replies

  • Hi,

    As I known, it is not supported yet. For any compliants on Azure:

    https://www.windowsazure.com/en-us/support/trust-center/compliance/

    You can vote it as a new feature in the future Azure:

    http://www.mygreatwindowsazureidea.com/forums/34192-windows-azure-feature-voting

    Thanks,


    QinDian Tang
    MSDN Community Support | Feedback to us
    Develop and promote your apps in Windows Store
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.


    Wednesday, February 27, 2013 7:09 AM
  • The underlying Windows Azure physical infrastructure (datacenter, networking, physical access) is PCI DSS validated.  However, Windows Azure features (e.g., Storage, Cloud Services, Virtual Machines, etc.) have not been PCI DSS validated.  There is a PCI DSS Level 1 validation that Windows Azure would need to get only if you were to store, process, or otherwise access credit card information in Azure.

    You may be able to use an off-platform payment processor for your Azure application and not require Azure to be in scope for PCI DSS validation.  However, the exact scope of the audit will need to be decided by your Qualified Security Assessor.  Customers have the ultimate responsibility for complying with their industry regulations, including PCI DSS.

    Do you intend to store credit card data in Azure?  If so, why?  Most online commerce applications do not need to store credit card data (e.g., Primary Account Number), and instead rely on secure IFRAME to capture credit card data and transmit it to physically separate infrastructure.
    Saturday, March 23, 2013 2:37 AM
  • Windows Azure has been PCI DSS validated.  For more information, check out Windows Azure Trust Center:

    http://www.windowsazure.com/en-us/support/trust-center/compliance/

    Friday, January 17, 2014 1:31 AM
  • So now that Azure is PCI validated what are the steps that I would need to do to validate my company's infrastructure in Azure.  
    Wednesday, January 29, 2014 3:00 PM