Hosting a PCI compliant app on Azure

StackOverflow https://stackoverflow.com/questions/11167152

Question

I want to host an application on Windows Azure that stores the credit card information of users who pay to buy subscriptions for a monthly fee. I'd just have to store the card data as securely as possible (encrypt, salt, update database password often, use HTTPS, and so on)

I believe I need to be PCI compliant to be able to store this kind of information. My question is can Azure allow me to achieve this? What are my options? Can an application on Azure process credit card payments?

Was it helpful?

Solution

Windows Azure is not currently PCI compliant. (it may be in the future but not now - roadmap)

EDIT: Azure is now Level-1 compliant: windowsazure.com/en-us/support/trust-center/compliance

Windows Azure has a Trust Center page that explains all about its security and compliance (I suggest you read more about it here about what Azure has and hasn't) https://www.windowsazure.com/en-us/support/trust-center/

You have options where you can build Azure Applications but let a 3rd party (PCI compliant) handle the actual credit card processing for you, thus mitigating your risk of a non-PCI complaint application on Azure.

OTHER TIPS

As of today Azure is PCI DSS Level 1 compliant.

http://blogs.msdn.com/b/windowsazure/archive/2014/01/16/announcing-pci-dss-compliance-and-expanded-iso-certification-for-windows-azure-general-availability-of-windows-azure-hyper-v-recovery-manager-and-other-updates-to-windows-azure.aspx

https://www.windowsazure.com/en-us/support/trust-center/compliance/

My understanding of PCI Compliance means that you are now allowed to build applications on Azure and should be able to get them PCI certified as well. Just building an app and hosting it in Azure does not guarantee compliance.

Now it is compliant. You can visit the Windows Asure compliance page for details and also download the Windows Azure Customer PCI Guide.

It is compliant in broad terms. Try building an app using webapps and a DB that communicate to each other and not use the public IP space. Here are some issues in PCI-DSS.

1.2 Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment

1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.

1.3.3 Do not allow any direct connections inbound or outbound for traffic between the Internet and the cardholder data environment.

1.3.5 All traffic outbound from the cardholder data environment should be evaluated to ensure that it follows established, authorized rules. Connections should be inspected to restrict traffic to only authorized communications (for example by restricting source/destination addresses/ports, and/or blocking of content).

The Windows Azure PCI Attestation of Compliance (AoC) does not list any services that customers can actually go out and buy. The AoC certifies the following services:

Azure Core Services, Azure Platform Services, Azure Directory Services, Data Processing, Infrastructure, Operations.

...but these services (at least by name, anyway), cannot be "bought".

I've put together the following blog article, as to why a QSA such as myself with several years PCI DSS auditing experience, has an issue with Azure:

https://www.2-sec.com/2015/11/19/is-microsoft-azure-pci-dss-compliant-lessons-in-due-diligence/

Tim Holman, QSA, 2-sec...

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top