PCI DSS

PCI DSS overview

The Payment Card Industry (PCI) Data Security Standards (DSS) is a global information security standard designed to prevent fraud through increased control of credit card data. The PCI Security Standards Council (PCI SSC) is a global forum that brings together payments industry stakeholders to develop and drive adoption of data security standards, including PCI DSS.

Compliance with PCI DSS is required for any organization that stores, processes, or transmits cardholder data, which, at a minimum, consists of the full primary account number (PAN) – a unique payment card number that identifies the issuer and the particular cardholder account. Cardholder data may also appear in the form of a full PAN plus additional information such as cardholder name, expiration date, and service codes. Sensitive authentication data that may be transmitted or processed (but not stored) as part of a payment transaction contains additional data elements that must also be protected, including track data from card chip or magnetic stripe, PINs, PIN blocks, and so on. For more information, see PCI DSS glossary.

The PCI DSS designates four levels of compliance based on transaction volume, with Service Provider Level 1 corresponding to the highest volume of transactions at more than 6 million a year. The assessment results in an Attestation of Compliance (AoC), which is available to customers and Report on Compliance (RoC) issued by an approved Qualified Security Assessor (QSA). The effective period for compliance begins upon passing the audit and receiving the AoC from the QSA and ends one year from the date the AoC is signed.

Azure and PCI DSS

Microsoft Azure maintains a PCI DSS validation using an approved Qualified Security Assessor (QSA), and is certified as compliant under PCI DSS version 4.0 at Service Provider Level 1. The Attestation of Compliance (AOC) produced by the QSA is available for download. If you want to develop a cardholder data environment (CDE) or card processing service, you can rely on the Azure validation, thereby reducing the associated effort and costs of getting your own PCI DSS validation.

It is, however, important to understand that Azure PCI DSS compliance status doesn't automatically translate to PCI DSS validation for the services that you build or host on the Azure platform. You're responsible for ensuring that you achieve compliance with PCI DSS requirements. Azure provides the following resources to help you meet your own PCI DSS compliance obligations:

  • Azure PCI DSS Shared Responsibility Matrix specifies areas of responsibility for each PCI DSS requirement, and whether it is assigned to Azure or you, or if the responsibility is shared. See Audit reports for access instructions.
  • Azure Policy regulatory compliance built-in initiative for PCI DSS maps to PCI DSS compliance domains and controls. Regulatory compliance in Azure Policy provides built-in initiative definitions to view a list of controls and compliance domains based on responsibility – customer, Microsoft, or shared. For Microsoft-responsible controls, we provide extra audit result details based on third-party attestations and our control implementation details to achieve that compliance. Each PCI DSS control is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, compliance in Azure Policy is only a partial view of your overall compliance status. Azure Policy helps to enforce organizational standards and assess compliance at scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to more granular status.

Applicability

  • Azure
  • Azure Government

Services in scope

For a list of Microsoft online services in audit scope, see the PCI DSS Attestation of Compliance (AoC) that is available separately for Azure and Azure Government or Cloud services in audit scope:

  • Azure
  • Dynamics 365
  • Microsoft 365
  • Power Platform

Office 365 and PCI DSS

For more information about Office 365 compliance, see Office 365 PCI DSS documentation.

Audit reports

The Azure PCI DSS audit documentation covers Azure, Dynamics 365, Power Platform, and select Microsoft 365 cloud services. You can access Azure PCI DSS audit documents from the Service Trust Portal (STP) PCI DSS reports section. For instructions on how to access audit reports, see Audit documentation.

Frequently asked questions

Why does the Attestation of Compliance (AoC) cover page say "June 2018"?
The June 2018 date on the cover page is when the AoC template was published. Refer to Section 3 with signatures for the date of the assessment.

How long is the PCI DSS AoC valid?
The effective period for compliance begins upon passing the audit and receiving the AoC from the Qualified Security Assessor (QSA) and ends one year from the date the AoC is signed.

How can I get the Azure PCI DSS audit documentation?
For links to audit documentation, see Audit reports.

Why are there multiple Azure Attestations of Compliance (AoC)?
The Azure PCI DSS AoC package has AoCs corresponding to Azure and Azure Government cloud environments. You should use the AoC that corresponds to your cloud environment.

What is the relationship between the PA DSS and PCI DSS?
The Payment Application Data Security Standard (PA DSS) is a set of requirements that comply with the PCI DSS. These requirements replace Visa's Payment Application Best Practices and consolidate the compliance requirements of the other primary card issuers. The PA DSS helps software vendors develop third-party applications that store, process, or transmit cardholder payment data as part of a card authorization or settlement process. Retailers must use PA DSS certified applications to efficiently achieve their PCI DSS compliance. The PA DSS doesn't apply to Azure or Azure Government.

What is an acquirer and does Azure use one?
An acquirer is a bank or other entity that processes payment card transactions. Azure doesn't offer payment card processing as a service and therefore doesn't use an acquirer.

To what organizations and merchants does the PCI DSS apply?
PCI DSS applies to any company, no matter the size, or number of transactions, that accepts, transmits, or stores cardholder data. If any customer ever pays a company using a credit or debit card, then the PCI DSS requirements apply. Companies are validated at one of four levels based on the total transaction volume over a 12-month period. Level 1 is for companies that process over 6 million transactions a year; Level 2 for 1 million to 6 million transactions; Level 3 is for 20,000 to 1 million transactions; and Level 4 is for fewer than 20,000 transactions. Azure maintains a PCI DSS validation at Service Provider Level 1.

Where do I begin my organization's PCI DSS compliance efforts for a solution deployed on Azure?
The information that the PCI Security Standards Council makes available is a good place to learn about specific compliance requirements. The Council publishes the PCI DSS standard and supporting documents such as the PCI DSS Quick Reference Guide and Prioritized Approach for PCI DSS that explain how you can help protect a payment card transaction environment.

Compliance involves several factors, including assessing the systems and processes not hosted on Azure. Individual requirements vary based on which Azure services are used and how they're employed within the solution.

Resources