Payment Card Industry (PCI) Data Security Standard (DSS) Level 1 Service Provider
The Payment Card Industry (PCI) Data Security Standards (DSS) is a global information security standard designed to prevent fraud through increased control of credit card data. Organizations of all sizes must follow PCI DSS standards if they accept payment cards from the five major credit card brands—Visa, MasterCard, American Express, Discover, and the Japan Credit Bureau (JCB). Compliance with PCI DSS is required for any organization that stores, processes, or transmits payment and cardholder data.
Microsoft Azure completes an annual PCI DSS assessment using an approved Qualified Security Assessor (QSA). The auditor reviews the Azure environment, which includes validating the infrastructure, development, operations, management, support, and in-scope services. The PCI DSS designates four levels of compliance based on transaction volume. Azure is certified as compliant under PCI DSS version 3.2 at Service Provider Level 1 (the highest volume of transactions—more than 6 million a year).
The assessment results in an Attestation of Compliance (AoC) and Report on Compliance (RoC) issued by the QSA. The effective period for compliance begins upon passing the audit and receiving the AoC from the assessor, and ends one year from the date the AoC is signed. The AoC is available to customers to show the QSA has determined that Azure is in compliance with PCI DSS v3.2.
Customers who want to develop a cardholder environment or card processing service can leverage the Azure validation in many of the underlying portions, thereby reducing the associated effort and costs of getting their own PCI DSS certification.
It is, however, important to understand that Azure PCI DSS compliance status does not automatically translate to PCI DSS certification for the services that customers build or host on the Azure platform. Customers are responsible for ensuring that they achieve compliance with PCI DSS requirements. The Azure Customer PCI Guide specifies areas of responsibility for each PCI DSS requirement, and whether it is assigned to Azure or the customer, or if the responsibility is shared.
Frequently asked questions
The "April 2016" date seen on the cover page of the Azure AoC is when the AoC template was published. Refer to Section 2 for the date of the assessment. The provided link, http://aka.ms/azure-pci, goes to the most recent version of the Azure AoC.
Azure is continuously releasing new services that PCI customers want to leverage. To keep up with customer demand, Azure undergoes two PCI assessments annually. The "Core" AoC covers the Azure platform, infrastructure, and the bulk of Azure services. The "Add-on" AoC covers new Azure services that were not included in the Core assessment. Both AoCs should be used together, as the Add-on AoC relies on the Core AoC. The Core AoC is issued in March, and the Add-on AoC follows each year in June.
The Payment Application Data Security Standard (PA DSS) is a set of requirements that comply with the PCI DSS, and replaces Visa’s Payment Application Best Practices, as well as consolidates the compliance requirements of the other primary card issuers. The PA DSS helps software vendors develop third-party applications that store, process, or transmit cardholder payment data as part of a card authorization or settlement process. Retailers must use PA DSS certified applications to efficiently achieve their PCI DSS compliance. Note that the PA DSS does not apply to Azure.
It applies to any company, no matter the size or number of transactions, that accepts, transmits, or stores cardholder data. That is, if any customer ever pays a company using a credit or debit card, then the PCI DSS requirements apply. Companies are validated at one of four levels based on the total transaction volume over a 12-month period. Level 1 is for companies that process over 6 million transactions a year; Level 2 for 1 million to 6 million transactions; Level 3 is for 20,000 to 1 million transactions; and Level 4 is for fewer than 20,000 transactions.
The latest Azure AoC is available at http://aka.ms/azure-pci.
The information that the PCI Security Standards Council makes available is a good place to learn about specific compliance requirements. The council publishes the PCI DSS Quick Reference Guide that explains how the PCI DSS can help protect a payment card transaction environment and how to apply it. The council also offers resources for assessing PCI DSS compliance.
Compliance involves several factors, including assessing the systems and processes not hosted on Azure. Individual requirements will vary based on which Azure services are used and how they are employed within the solution.
Microsoft in-scope cloud services
Covered services include:
- Azure and Azure Government detailed list
- Cloud App Security
- Microsoft Flow cloud service either as a standalone service or as included in an Office 365 or Dynamics 365 branded plan or suite
- PowerApps cloud service either as a standalone service or as included in an Office 365 or Dynamics 365 branded plan or suite
- Power BI cloud service either as a standalone service or as included in an Office 365 branded plan or suite