Is Azure App Service Compliant with PCI Standard 3.0 and 3.1?

bharathn-msft 5,086 Reputation points Microsoft Employee
2019-10-29T21:58:04.313+00:00

Whether Azure App Service Compliant with PCI Standard 3.0 and 3.1?

Sourced from FAQ

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,219 questions
0 comments No comments
{count} vote

Accepted answer
  1. Grmacjon-MSFT 17,136 Reputation points
    2019-10-29T23:10:15.513+00:00

    Hello,
    Currently, the Web Apps feature of Azure App Service is in compliance with PCI Data Security Standard (DSS) version 3.0 Level 1. PCI DSS version 3.1 is on our roadmap. Planning is already underway for how adoption of the latest standard will proceed.
    PCI DSS version 3.1 certification requires disabling Transport Layer Security (TLS) 1.0. Currently, disabling TLS 1.0 is not an option for most App Service plans. However, if you use App Service Environment or are willing to migrate your workload to App Service Environment, you can get greater control of your environment. This involves disabling TLS 1.0 by contacting Azure Support. In the near future, we plan to make these settings accessible to users.
    For more information, see Microsoft Azure App Service web app compliance with PCI Standard 3.0 and 3.1.

    Sourced from FAQ

    Please let us know if you have further questions.

    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Damir Dobric 6 Reputation points MVP
    2019-11-01T08:50:20.993+00:00

    In the provided url above following remark can be found:

    PCI DSS version 3.1 certification requires disabling Transport Layer Security (TLS) 1.0. Currently, disabling TLS 1.0 is not an option for most App Service plans.

    It is not clear if "most AppService plans" support PCI x.y. or not. AppService environment is different offering, which does support PCI 3.1.
    However most people focus AppService. In this context, I it is not clear if, what and how exactly PCI can be achieved?

    My suggestion is to provide here a bit more transparent and concrete answer related to AppService.

    0 comments No comments

  2. Michael 1 Reputation point Microsoft Employee
    2019-11-04T02:12:47.53+00:00

    It's important to remember that your solution will not just involve App Service and you need to look at all of the services when attempting to map to compliance controls.

    I would start at the Microsoft Trust Center. If you are part of a corporate security and compliance team, that site is your friend.

    From there you can get to the PCI-DSS overview page, from which you can get to a number of resources, including the Attestations of Compliance for Azure Services.

    The Azure PCI DSS Responsibility Matrix will help you identify what you are responsible for vs. what Microsoft is responsible for in establishing your controls. To help with some of the control mapping and enforcement, there is also an Azure Blueprint that you might be able to leverage.

    Hope this helps.

    0 comments No comments