Login/Register
Hosting a PCI compliant app on Azure
Asked Answered
Solved azurecredit-cardpci-compliance
F

5

8

I want to host an application on Windows Azure that stores the credit card information of users who pay to buy subscriptions for a monthly fee. I'd just have to store the card data as securely as possible (encrypt, salt, update database password often, use HTTPS, and so on)

I believe I need to be PCI compliant to be able to store this kind of information. My question is can Azure allow me to achieve this? What are my options? Can an application on Azure process credit card payments?

Fonseca answered 23/6, 2012 at 5:30 Comment(0)
N
11

Windows Azure is not currently PCI compliant. (it may be in the future but not now - roadmap)

EDIT: Azure is now Level-1 compliant: windowsazure.com/en-us/support/trust-center/compliance

Windows Azure has a Trust Center page that explains all about its security and compliance (I suggest you read more about it here about what Azure has and hasn't) https://www.windowsazure.com/en-us/support/trust-center/

You have options where you can build Azure Applications but let a 3rd party (PCI compliant) handle the actual credit card processing for you, thus mitigating your risk of a non-PCI complaint application on Azure.

Netsuke answered 23/6, 2012 at 5:38 Comment(5)
I was looking at PayPal's Payments Pro Agreement and it wants me to agree that I'm PCI compliant, so I'm not sure if I can use PayPal.Fonseca
The only alternative I see is a Hyrbid approach where credit card information is stored on-premises and then processed by a 3rd party using standard security e.g. SSL and then having other parts of your app running in Azure. There might be alternative approaches but Azure Platform it's self is not PCI compliant.Netsuke
If you can live with having a web page for payments, look at Stripe.com. You don't have to be pci compliant if you use their API as designed.Gnathonic
There are multiple level of PCI compliancy and as soon as you are not going to store the credit card data it should be fine using Azure. There are recommended third-parties that can automatically test your application for the lowest level of PCI compliance, it is not very complicated to meet the requirements. As soon as you are going to keep your customer's card details you will need own enclosure in the data centre with access control and stuff.Auscultate
According to their page they're now Level-1 compliant: windowsazure.com/en-us/support/trust-center/complianceSeparative
K
9

As of today Azure is PCI DSS Level 1 compliant.

http://blogs.msdn.com/b/windowsazure/archive/2014/01/16/announcing-pci-dss-compliance-and-expanded-iso-certification-for-windows-azure-general-availability-of-windows-azure-hyper-v-recovery-manager-and-other-updates-to-windows-azure.aspx

https://www.windowsazure.com/en-us/support/trust-center/compliance/

My understanding of PCI Compliance means that you are now allowed to build applications on Azure and should be able to get them PCI certified as well. Just building an app and hosting it in Azure does not guarantee compliance.

Krick answered 17/1, 2014 at 1:44 Comment(0)
G
4

Now it is compliant. You can visit the Windows Asure compliance page for details and also download the Windows Azure Customer PCI Guide.

Guppy answered 23/1, 2014 at 12:30 Comment(0)
P
0

It is compliant in broad terms. Try building an app using webapps and a DB that communicate to each other and not use the public IP space. Here are some issues in PCI-DSS.

1.2 Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment

1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.

1.3.3 Do not allow any direct connections inbound or outbound for traffic between the Internet and the cardholder data environment.

1.3.5 All traffic outbound from the cardholder data environment should be evaluated to ensure that it follows established, authorized rules. Connections should be inspected to restrict traffic to only authorized communications (for example by restricting source/destination addresses/ports, and/or blocking of content).

Proctoscope answered 20/8, 2015 at 21:39 Comment(0)
U
0

The Windows Azure PCI Attestation of Compliance (AoC) does not list any services that customers can actually go out and buy. The AoC certifies the following services:

Azure Core Services, Azure Platform Services, Azure Directory Services, Data Processing, Infrastructure, Operations.

...but these services (at least by name, anyway), cannot be "bought".

I've put together the following blog article, as to why a QSA such as myself with several years PCI DSS auditing experience, has an issue with Azure:

https://www.2-sec.com/2015/11/19/is-microsoft-azure-pci-dss-compliant-lessons-in-due-diligence/

Tim Holman, QSA, 2-sec...

Uncinus answered 16/11, 2015 at 17:34 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.