Is SQL Azure PCI-DSS Compliant?

Question

If I were to use separate Windows Server that was PCI-DSS compliant, would I still be compliant if I had a SQL Azure hosting the backend? This is assuming that I'm compliant at the application layer, and that I'm only storing permitted values (like no CVV), etc.

Erik · Accepted Answer · 2011-04-20T03:49:01.743

AWS is now PCI DSS 2.0 Level 1 compliant, so the assumptions that Level 1 is not achievable by a cloud vendor is not correct:

http://aws.amazon.com/security/pci-dss-level-1-compliance-faqs/

In addition, Rackspace has also achieved PCI Level 1 compliance:

http://www.rackspace.co.uk/rackspace-home/media-centre/news/article/article/rackspace-enhances-security-with-pci-accreditation/

It is true that Microsoft has not yet achieved PCI compliance for Windows Azure.

It is likely that they are actively working on addressing any limitations in Windows Azure so that they will also be able to provide this service to their customers and remain competitive, but as of today they have not yet achieved PCI compliance.

Please note that this answer is no longer accurate. MS Azure has achieved PCI-DSS level 1 compliance as per my below comment on 10 July. — CShark, Nov 12 '14 at 14:58

score 11 · Answer 2 · answered Sep 30 '10 at 10:44

Microsoft writes in the Azure Faq:

At commercial launch, Windows Azure will not have specific audit or security certifications. You can expect to see us pursue key certifications, such as the ISO27001, in the near future. The Windows Azure Platform and Windows Azure apply the rigorous security practices incorporated in the Security Development Lifecycle (SDL) process. SDL introduces security and privacy early and throughout the development process. The Windows Azure Platform and Windows Azure also benefit from the security capabilities afforded by the Microsoft Global Foundation Services’ (GFS) infrastructure. The GFS assurances are validated by external auditors on a regular basis and include a comprehensive security program that covers the entire delivery stack.

Microsoft makes no claim regarding PCI standards for 3rd party hosting. There are ways to develop cloud based applications to use 3rd party PCI data processers that may keep the cloud application itself out of scope.

http://www.microsoft.com/windowsazure/faq/default.aspx

choose "Licensing and Service Level Agreements" in the drop down then find the last paragraph "What industry audit and security certifications cover the Windows Azure Platform? Specifically, call out position on SAS70, ISO 27001, and PCI?"

Not sure if you've seen the security briefing but it looks like Microsoft Data Centers are PCI compliant as of January 2012: http://cdn.globalfoundationservices.com/documents/Strategy_Brief_Securing_Cloud_Infrastructure.pdf — Colin Bowern, May 16 '12 at 19:32

CShark · Answer 3 · 2014-07-10T14:05:27.480

3

Just an update on this question.

As it stands currently, Windows Azure is indeed PCI DSS Level 1 compliant. See the following Windows Azure Trust Centre article for more information: Windows Azure Trust Center - Compliance

edited Jul 10 '14 at 14:05

answered Jul 10 '14 at 13:32

CShark

2,183
1
24
42

score 3 · Answer 4 · answered Sep 01 '10 at 02:59

Not sure of PCI-DSS Compliance status in Azure, but I will note that Azure and EC2S3 are not the same animals. Azure is a completely hosted infrastructure which exposes services and endpoints to offer application writers the ability to sit on a fully managed and monitored (including typical security constructs in place for the on-premise Server product) platform, and extend these services to the resident applications.

Considering the amount of time that Microsoft has spent with the PCI folks (from Vista on), I would be highly surprised if a PCI-DSS compliant application didn't maintain it's level of certification when extended to Windows Azure.

Hope this helps. The purpose wasn't to bash EC2S3, it was more to fill in the blamks on Azure.

Mr. Helper :-)

score 2 · Answer 5 · answered Aug 01 '10 at 04:03

2

With PCI DSS it is important to remember that it is not just about storing, it's "store, process, or transmit." If any of this happens in or through the cloud then the cloud becomes part of your cardholder data environment, thus in scope for PCI compliance. Since it's a cloud that you don't control, there would be no way to verify compliance.

No verification, no compliance. Sorry.

answered Aug 01 '10 at 04:03

Gene

21
1

2

Does it require control if the provider verifies compliance, though? Let's say you use a third party hosting provider (cloud or physical). If they conform to PCI standards, and can pass the scan, its legitimate, right? I'm pretty sure you don't have to own the server to be compliant... – jchapa Aug 01 '10 at 04:09

Sripathi Krishnan · Answer 6 · 2011-04-26T15:25:19.690

1

Amazon announced PCI DSS Level 1 compliance on Dec 07, 2010. My answer below is now incorrect.

~~See http://www.mckeay.net/2009/08/14/cannot-achieve-pci-compliance-with-amazon-ec2s3/. Amazon says you can't achieve PCI-DSS level 1 compliance on their infrastructure. The important lines are -~~

It is possible for you to build a PCI level 2 compliant app in our AWS cloud using EC2 and S3, but you cannot achieve level 1 compliance. If you have a data breach, you automatically need to become level 1 compliant which requires on-site auditing; that is something we cannot extend to our customers.

I haven't read Azure's documentation, but I am pretty sure they don't allow on-site auditing. Given that, the same conclusions would apply to Microsoft Azure as well.

edited Apr 26 '11 at 15:25

answered Aug 02 '10 at 16:35

Sripathi Krishnan

30,948
4
76
83

Every merchant level under PCI DSS must meet the exact same obligations. The only difference in the levels is in the amount of proof / auditing required for the yearly assessment (SAQ). For Level 4, it is pretty much an honesty system. For Level 1, you must undergo a full audit by a QSA, where they physically inspect everything. However, for both cases, the merchant/service provider still has to follow all 12 points of the PCI DSS. In other words - if Amazon says you can't be PCI DSS 'level 1' compliant, then you can't be PCI DSS compliant, period. – Mike Oct 10 '10 at 23:09
Not sure of the authority of that blog, but this is what the official amazon FAQ says: "Merchants who process, store, and/or transmit credit card data on the AWS infrastructure can be PCI compliant, including Level 1 merchants." http://aws.amazon.com/security/pci-dss-level-1-compliance-faqs/ – Ben Collins Apr 25 '11 at 17:58
2

@Ben Collins - AWS achieved PCI-DSS level 1 on Dec 7 2010. My answer and the accompanying blog post was the truth before then. I will update my answer accordingly. – Sripathi Krishnan Apr 26 '11 at 15:22

score 1 · Answer 7 · answered Apr 25 '11 at 18:03

Looks like AWS and Rackspace both have achieved some level of compliance (http://aws.amazon.com/security/pci-dss-level-1-compliance-faqs/, http://www.rackspace.co.uk/rackspace-home/media-centre/news/article/article/rackspace-enhances-security-with-pci-accreditation/), but Global Foundation Services (the infrastructure behind Microsoft Windows/SQL Azure, CDN, etc) has not (http://www.globalfoundationservices.com/security/). I would not be surprised to see that GFS achieves some accredication in the near future, however.

Is SQL Azure PCI-DSS Compliant?

7 Answers7