Share via

API managment for the compliance PCI DSS

Joel Acosta 20 Reputation points
2024-07-09T20:48:14.1733333+00:00 
Good afternoon

I am currently advising a company for compliance with the PCI DSS standard in Azure and the following scenario arises. They have an API manager where all the APIs are configured without discrimination, both those that consume and do not consume card data in the Backend. My question is the following, what is the recommended architecture to be able to isolate those APIs that must be part of PCI DSS and separate them from those that are not PCI DSS, or failing that, if it were not necessary to isolate them, so that I can make sure The APIs do not talk to each other and do not have direct communication.

I thank you in advance for your response.
Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,927 questions
0 comments
Accepted answer
  1. navba-MSFT 20,125 Reputation points Microsoft Employee
    2024-07-10T05:00:11.08+00:00

    @Joel Acosta Welcome to Microsoft Q&A Forum, Thank you for posting your query here!

    .

    Microsoft Azure is certified as compliant under PCI DSS version 4.0 at Service Provider Level .

    It is important to understand that Azure PCI DSS compliance status doesn't automatically translate to PCI DSS validation for the services that you build or host on the Azure platform. You're responsible for ensuring that you achieve compliance with PCI DSS requirements. More info here.

    .

    Azure API Management is one of the service under Azure, so it should be  in scope for PCI DSS compliance but Since APIM is a Integration Service it's the responsibility of the customer to make sure that their backend API's are Compliance with PCI  and DSS Standards.

    .

    Regarding your question, in terms of architecture, it’s important to isolate APIs that handle card data (PCI DSS) from those that do not. This can be achieved by creating separate API Management instances for APIs that handle card data and those that do not. This way, you can apply stricter security controls and monitoring on the API Management instance that handles card data.

    .

    Furthermore, to ensure that APIs do not communicate directly with each other, you can implement network security controls such as firewalls, network segmentation, and access controls. These controls can help prevent unauthorized access and data leakage between APIs. Refer this article.

    .

    Please refer the security baseline benchmarking for the Azure APIM: https://learn.microsoft.com/en-us/security/benchmark/azure/baselines/api-management-security-baseline

    .

    Hope this helps. If you have any follow-up questions, please let me know. I would be happy to help.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more