none
Processing credit card transactions on Azure RRS feed

  • Question

  • I need to store credit card data and process recurring payments. As far as I know, Azure is not PCI-compliant. What are my options? I don't want to use a third-party payment gateway.
    Saturday, June 23, 2012 6:26 PM

Answers

  • The parts of Windows Azure that Microsoft manages qualify for PCI compliance, assuming your application and everything related to it qualify for PCI compliance. Since that doesn't really help any...

    It depends entirely on how much money you are processing and the number of transactions you process, as that would dictate the level of protection necessary. Remember, PCI isn't all or nothing, it has varying levels of protection requirements depending on dollars flowing through your systems. So small amounts of money over a period of time don't require the same level of protection as millions of dollars over the same period of time. You need to figure out what level of protection you need to provide for the cardholder data before you can really determine what your options are.

    For more information on what Windows Azure can offer security-wise you could take a look at the trust center section on security: https://www.windowsazure.com/en-us/support/trust-center/security/

    You could also look at the Security best Practices document for Azure: http://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=7253


    Developer Security MVP | www.syfuhs.net

    • Marked as answer by Arwind - MSFT Friday, June 29, 2012 7:59 AM
    Saturday, June 23, 2012 7:13 PM

All replies

  • The parts of Windows Azure that Microsoft manages qualify for PCI compliance, assuming your application and everything related to it qualify for PCI compliance. Since that doesn't really help any...

    It depends entirely on how much money you are processing and the number of transactions you process, as that would dictate the level of protection necessary. Remember, PCI isn't all or nothing, it has varying levels of protection requirements depending on dollars flowing through your systems. So small amounts of money over a period of time don't require the same level of protection as millions of dollars over the same period of time. You need to figure out what level of protection you need to provide for the cardholder data before you can really determine what your options are.

    For more information on what Windows Azure can offer security-wise you could take a look at the trust center section on security: https://www.windowsazure.com/en-us/support/trust-center/security/

    You could also look at the Security best Practices document for Azure: http://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=7253


    Developer Security MVP | www.syfuhs.net

    • Marked as answer by Arwind - MSFT Friday, June 29, 2012 7:59 AM
    Saturday, June 23, 2012 7:13 PM
  • Thanks for your answer. I'm going to be in the lowest level, requiring the smallest amount of scrutiny. I was looking at MasterCard's SDP requirements, and it said a quarterly network scan by an ASV is required. Since I won't have any on-premise hardware, how can I have an entity or person scan Azure's infrastructure? Is this even possible?
    Monday, June 25, 2012 5:45 AM
  • given the current set of infrastructure features Azure provides and compliancy levels it meets, I think you'll need to have either on-premise infrastructure yourself or use another provider for this kind of data/operations. There is no way to reach your desired level of PCI compliancy within Azure as of now.

    Monday, June 25, 2012 9:15 AM
  • Are there any plans to achieve PCI compliance?
    Tuesday, June 26, 2012 11:01 PM
  • Steve and Sweet, Windows Azure has not been certified as PCI compliant at this time. The Microsoft Global Foundation datacenters are PCI compliant, but the software stack that is Windows Azure has not received this certification yet. Its still being worked on.

    Given this, I would strongly recommend not doing any CC processing or storage within Windows Azure.

    Thursday, June 28, 2012 1:21 PM
  • Windows Azure can never be PCI compliant because it can't take into account the whole environment and the applications it runs, i.e. everyone else's applications. If I personally host an insecure application that would invalidate the certification at the data center level, so the application itself needs to be PCI compliant, not the datacenter.

    You can process payments through Windows Azure as long as the application meets compliance. But as a I said above, whether the application can meet compliance in Windows Azure is decided by the amount of money that is processed in a given period of time.


    Developer Security MVP | www.syfuhs.net

    Thursday, June 28, 2012 4:52 PM
  • I'll take your word for it Steve. But your statements run contray to my understanding of PCI compliance. :) But I'm by no means an expert. It will remain something I caution clients away from but right along with that, my firm also recommends that clients concerned about such issues have their own internal experts or an independent 3rd party verify.

    Thursday, June 28, 2012 10:30 PM
  • Fair enough. :) You are right though, an independent 3rd party should be used to verify.

    Developer Security MVP | www.syfuhs.net

    Friday, June 29, 2012 1:36 AM
  • Steve's advice regarding PCI DSS requirements for different levels could be misleading. PCI DSS requirements apply to all companies that process, store, or transmit cardholder data. Regardless of the number of transaction processing, companies should comply with ALL PCI DSS requirements.

    However, reporting requirements are different depending on merchant or service provider level. While small companies are still required to comply with all the applicable PCI DSS requirements, they may not be required to undergo an assessment conducted by a QSA and they may self-attest of the compliance status.

    Brent is correct, sweet_harmony89, you should not process cardholder data using a non-certified cloud service provider. Microsoft Azure should provide its customer with an attestation of compliance stating that they are PCI DSS compliant; otherwise, you won't be able to be PCI DSS compliant. You can self-attest and state that you are but if for any reasons you have to undergo an assessment conducted by a QSA, it would be clear that you are not by using a non-compliant service provider.

    I hope this helps. FYI, I have been a QSA full time since 2007.

    Monday, September 10, 2012 3:24 PM
  • The underlying Windows Azure physical infrastructure (datacenter, networking, physical access) is PCI DSS validated.  However, Windows Azure features (e.g., Storage, Cloud Services, Virtual Machines, etc.) have not been PCI DSS validated.  There is a PCI DSS Level 1 validation that Windows Azure would need to get only if you were to store, process, or otherwise access credit card information in Azure.  Effectively, Windows Azure would need to provide you with a Report on Compliance (ROC) that your Qualified Security Assessor (QSA) would use when assessing PCI DSS compliance for your Azure application.  Windows Azure platform alone cannot be PCI DSS compliant.

    You may be able to use an off-platform payment processor for your Azure application and not require Azure to be in scope for PCI DSS validation.  However, the exact scope of the audit will need to be decided by your QSA.  Customers have the ultimate responsibility for complying with their industry regulations, including PCI DSS.
    Wednesday, March 27, 2013 3:20 AM