What does PCI Compliance mean for Windows Azure?

On January 16th, 2014 it was announced that Windows Azure met PCI DSS Level 1 compliance.  You can check out ScottGu’s blog post about the announcement, or the Windows Azure Trust Center, but what does this actually mean?  Does it mean you can go host a payment gateway on Windows Azure, or store open credit card data there? 

PCI compliance is a standard used for being able to handle card holder data for things like credit cards and debit cards.  By handling I mean not only making charges to a card, but also just storing the data for any reason, such as a merchant that stores your card to make checkout faster, etc.  This compliance is something that I’ve heard as a request from folks looking at Azure for years now.  I used to work for a financial services company and this was definitely a major blocker for adoption for folks in that industry.  While many companies found other uses for Windows Azure, they couldn’t do much for the core business as they needed to have PCI compliance to do so.  Needless to say this is a big deal.

Now, to be fair, the actual underlying systems running Windows Azure in the Data Centers have been PCI compliant for a while now.  This is why you may have seen Microsoft listed on the PCI DSS websites prior to now.  This meant that the Data Centers themselves met a lot of the requirements, but that the exposed customer services didn’t mean all the requirements yet.  According to the Attestation of Compliance from the reviewer the following Windows Azure features are in scope and covered:   infrastructure, development platform, operations and support for compute, data services, app services and network services.  Basically, it looks like everything and the kitchen sink.  I couldn’t find any exclusions listed.

Within the PCI DSS guidelines there are 12 requirements.  That sounds simple until you dig into them, but at a high level there are 12.  They cover various aspects of security such as firewalls, physical access, user permissions, policies and more.  You can read all about them on the PCI website and in their quick standards guide (yes, the quick version is 34 pages long).  Each one of these requirements and all of their sub requirements have to be met in order for a solution to be PCI compliant, and that is really the important point.  In order for a solution to be compliant it has to meet all the requirements, since Windows Azure is a platform in which you are resting part or all of your solution then there is still some work to be done on your end.  With today’s announcement Microsoft is bearing some of the burden of compliance verification.  The Customer Azure PCI Guide details out which requirements are met completely by Windows Azure, and which ones will need to be also proved out by the customer (meaning you). 

I’ve worked at a company that dealt with PCI compliance and when auditors were in to verify everything it was always a stressful time.  It’s not that we were worried we’d have issues, but more along the lines of all the effort needed to get the requirements proved out so that the auditor had everything they needed.  There was a lot of prep and research that went into gathering the information.  What Microsoft has done is take some of that load off of you as the customer.  For example, you don’t have to prove out that your routers are secured and synchronized.  The Customer Azure PCI Guide I mentioned above details out each requirement indicating what is met simply because you host in Windows Azure and what needs to be proved by the customer for their solution. 

So, yes, you can create a payment gateway or store credit card data on Windows Azure, but beyond what Microsoft is attesting to you’ll need to cover all the other requirements.  Also, if your solution is hybrid and has pieces located in a data center outside of Windows Azure you’ll need to ensure that all requirements are met there as well.  While it isn’t a blanket that anything running on Windows Azure is compliant, with this announcement you now can begin to work on solutions that require this level of compliance knowing the foundation/platform you are building from is covered.

If you are wondering what the “Level 1” means in the announcement it refers to the level of requirements that need to be met in the PCI standard based first on the number of transactions the compliance holder is going to have go through their system.  The more volume your company goes through the more stringent the requirements you have to meet, which makes sense.  If you process and store tons of card numbers you’re also going to be a much likely target for those who wish to get at that data.  Level 1 means Windows Azure has to meet the highest standards for PCI compliance and is required for any merchant handling more than 6 million transactions a year.  Also, the level a merchant has to meet can also be shifted to the higher standards if they’ve had a breach of security in the past. 

I am certainly not a PCI expert, but I’ve worked with employers and clients who have dealt with PCI in the past.  This announcement is a big deal.  Hats off to the Windows Azure team!

UPDATE - Nov 20th, 2015: Tim Holman has written an article about his own thoughts on Azure PCI compliance. It’s well worth a read and makes some really good points. The Attestation of Compliance (AoC) document that was written in 2014 is out of date with the actual listing of services by names and branding. For example, we now call Azure Websites Azure App Service. Without a good mapping of what the very broad coverage mentioned in the AoC refers to it is hard to ensure you are covered.

I’d highly suggest that if you are looking at Azure for a solution that requires PCI Compliance that you perform as much due diligence on your own as you can. Take your solution design and go over it with a fine tooth comb. If necessary, reach out to Microsoft and speak to someone in the Security and Compliance groups to get verification on what is, or is not, covered.