8

I want to host an application on Windows Azure that stores the credit card information of users who pay to buy subscriptions for a monthly fee. I'd just have to store the card data as securely as possible (encrypt, salt, update database password often, use HTTPS, and so on)

I believe I need to be PCI compliant to be able to store this kind of information. My question is can Azure allow me to achieve this? What are my options? Can an application on Azure process credit card payments?

Mark13426
  • 2,429
  • 4
  • 35
  • 72

5 Answers5

11

Windows Azure is not currently PCI compliant. (it may be in the future but not now - roadmap)

EDIT: Azure is now Level-1 compliant: windowsazure.com/en-us/support/trust-center/compliance

Windows Azure has a Trust Center page that explains all about its security and compliance (I suggest you read more about it here about what Azure has and hasn't) https://www.windowsazure.com/en-us/support/trust-center/

You have options where you can build Azure Applications but let a 3rd party (PCI compliant) handle the actual credit card processing for you, thus mitigating your risk of a non-PCI complaint application on Azure.

johnnyRose
  • 6,243
  • 16
  • 40
  • 58
user728584
  • 2,091
  • 2
  • 21
  • 24
  • I was looking at PayPal's Payments Pro Agreement and it wants me to agree that I'm PCI compliant, so I'm not sure if I can use PayPal. – Mark13426 Jun 23 '12 at 05:45
  • The only alternative I see is a Hyrbid approach where credit card information is stored on-premises and then processed by a 3rd party using standard security e.g. SSL and then having other parts of your app running in Azure. There might be alternative approaches but Azure Platform it's self is not PCI compliant. – user728584 Jun 23 '12 at 05:53
  • If you can live with having a web page for payments, look at Stripe.com. You don't have to be pci compliant if you use their API as designed. – Brian Reischl Jun 23 '12 at 18:22
  • There are multiple level of PCI compliancy and as soon as you are not going to _store_ the credit card data it should be fine using Azure. There are recommended third-parties that can automatically test your application for the lowest level of PCI compliance, it is not very complicated to meet the requirements. As soon as you are going to keep your customer's card details you will need own enclosure in the data centre with access control and stuff. – Alexey Zimarev Sep 16 '13 at 07:22
  • 1
    According to their page they're now Level-1 compliant: https://www.windowsazure.com/en-us/support/trust-center/compliance/ – Casey Feb 24 '14 at 15:55
9

As of today Azure is PCI DSS Level 1 compliant.

http://blogs.msdn.com/b/windowsazure/archive/2014/01/16/announcing-pci-dss-compliance-and-expanded-iso-certification-for-windows-azure-general-availability-of-windows-azure-hyper-v-recovery-manager-and-other-updates-to-windows-azure.aspx

https://www.windowsazure.com/en-us/support/trust-center/compliance/

My understanding of PCI Compliance means that you are now allowed to build applications on Azure and should be able to get them PCI certified as well. Just building an app and hosting it in Azure does not guarantee compliance.

Nathan Lewis
  • 184
  • 2
  • 9
4

Now it is compliant. You can visit the Windows Asure compliance page for details and also download the Windows Azure Customer PCI Guide.

BryanH
  • 5,460
  • 3
  • 33
  • 47
user1986839
  • 51
  • 2
0

It is compliant in broad terms. Try building an app using webapps and a DB that communicate to each other and not use the public IP space. Here are some issues in PCI-DSS.

1.2 Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment

1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.

1.3.3 Do not allow any direct connections inbound or outbound for traffic between the Internet and the cardholder data environment.

1.3.5 All traffic outbound from the cardholder data environment should be evaluated to ensure that it follows established, authorized rules. Connections should be inspected to restrict traffic to only authorized communications (for example by restricting source/destination addresses/ports, and/or blocking of content).

Wtower
  • 15,424
  • 11
  • 94
  • 69
Ty Melero
  • 1
0

The Windows Azure PCI Attestation of Compliance (AoC) does not list any services that customers can actually go out and buy. The AoC certifies the following services:

Azure Core Services, Azure Platform Services, Azure Directory Services, Data Processing, Infrastructure, Operations.

...but these services (at least by name, anyway), cannot be "bought".

I've put together the following blog article, as to why a QSA such as myself with several years PCI DSS auditing experience, has an issue with Azure:

https://www.2-sec.com/2015/11/19/is-microsoft-azure-pci-dss-compliant-lessons-in-due-diligence/

Tim Holman, QSA, 2-sec...

Tim Holman
  • 1
  • 1