Geek Answers Handbook

Hosting a PCI compatible application on Azure

I want to host an application on Windows Azure that stores credit card information for users who pay a monthly subscription for a monthly fee. I just have to keep the card data as safe as possible (encrypt, salt, frequently update the database password, use HTTPS, etc.)

I believe that I need to be compatible with PCI in order to be able to store such information. My question is: can Azure achieve this? What are my options? Can an application pay Azure credit card payments?

+8
azure credit-card pci-compliance
source share
5 answers

Windows Azure is currently not PCI compatible. (it may be in the future, but not now - a roadmap)

EDIT: Now Azure is level 1: windowsazure.com/en-us/support/trust-center/compliance

Windows Azure has a Trust Center page that explains all its security and compliance (I suggest you learn more about it here about what Azure has and doesn't have) https://www.windowsazure.com/en-us/support / trust-center /

You have options in which you can create Azure applications, but let a third-party (PCI-compatible) process the actual processing of credit cards for you, thereby reducing the risk of a non-PCI complaint against Azure.

+11
source share

Today, Azure is compatible with PCI DSS Level 1.

http://blogs.msdn.com/b/windowsazure/archive/2014/01/16/announcing-pci-dss-compliance-and-expanded-iso-certification-for-windows-azure-general-availability-of- windows-azure-hyper-v-recovery-manager-and-other-updates-to-windows-azure.aspx

https://www.windowsazure.com/en-us/support/trust-center/compliance/

My understanding of PCI Compliance means that you are now allowed to build applications on Azure and also be able to obtain a PCI certificate. Simply building the application and hosting it on Azure does not guarantee compliance.

+10
source share

Now it is compatible. You can visit the Windows Asure Compliance Page and download the PCI Azure Customer User Guide.

+4
source share

It is broadly compatible. Try to create an application using webapps and DB that communicate with each other and do not use public IP space. Here are some issues with PCI-DSS.

1.2. Create firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment.

1.2.1 Limit inbound and outbound traffic to what is necessary for the cardholder data environment, and in particular to prohibit all other traffic.

1.3.3 Do not allow direct or direct incoming or outgoing traffic between the Internet and the cardholder’s data environment.

1.3.5 All traffic originating from the cardholder data environment should be evaluated to ensure that it complies with established, approved rules. Connections should be checked to restrict traffic to only allowed messages (for example, by restricting source / destination addresses / ports and / or blocking content).

0
source share

The Windows Azure PCI Attetation of Compliance (AoC) does not list the services that customers can actually go out and buy. AoC certifies the following services:

Azure Core Services, Azure Platform Services, Azure Directory Services, data processing, infrastructure, operations.

... but these services (at least by name, at least) cannot be "bought."

I put together the following blog article on why QSA, for example, with several years of experience in PCI DSS auditing, has a problem with Azure:

https://www.2-sec.com/2015/11/19/is-microsoft-azure-pci-dss-compliant-lessons-in-due-diligence/

Tim Holman, QSA, 2 sec ...

0
source share

More articles:


All Articles