@Joel Acosta Welcome to Microsoft Q&A Forum, Thank you for posting your query here!
.
Microsoft Azure is certified as compliant under PCI DSS version 4.0 at Service Provider Level .
It is important to understand that Azure PCI DSS compliance status doesn't automatically translate to PCI DSS validation for the services that you build or host on the Azure platform. You're responsible for ensuring that you achieve compliance with PCI DSS requirements. More info here.
.
Azure API Management is one of the service under Azure, so it should be in scope for PCI DSS compliance but Since APIM is a Integration Service it's the responsibility of the customer to make sure that their backend API's are Compliance with PCI and DSS Standards.
.
Regarding your question, in terms of architecture, it’s important to isolate APIs that handle card data (PCI DSS) from those that do not. This can be achieved by creating separate API Management instances for APIs that handle card data and those that do not. This way, you can apply stricter security controls and monitoring on the API Management instance that handles card data.
.
Furthermore, to ensure that APIs do not communicate directly with each other, you can implement network security controls such as firewalls, network segmentation, and access controls. These controls can help prevent unauthorized access and data leakage between APIs. Refer this article.
.
Please refer the security baseline benchmarking for the Azure APIM: https://video2.skills-academy.com/en-us/security/benchmark/azure/baselines/api-management-security-baseline
.
Hope this helps. If you have any follow-up questions, please let me know. I would be happy to help.