PCI DSS and non-PCI DSS on Azure

Question

We have a requirement of hosting a PCI DSS environment on Azure. This will consist of a mixture of VMs, App service and a few other resources. My question is that we also have some services which we would like to keep out of PCI scope as they do not have any PCI data but interact with some of the PCI DSS in scope services.
An example is : We have a VM scale set which is reading and writing PCI data from and to a storage account(Acct1). But we also want this same VMSS to read and write non-PCI data from and to another storage account(Acct2) which we intend to keep out of scope of PCI DSS assessment.
Any suggestions of how to achieve this from a networking perspective. We had initially proposed to use private end points but our security team doesn't seem convinced of this. Is there some specific placement of the private link subnet? Should it reside in the PCI DSS Vnet or some other Vnet in order to achieve proper network segregation?
I believe the online Azure documentation on PCI DSS only seems to assume that the entire system is PCI DSS.

Answer 1

Hi @Chand, Anupam SBOBNG-ITA/RX ,

I am summarizing the thread and posting an answer.

You would like to understand how to isolate the PCI DSS and non-PCI DSS components in Azure.

Per our discussion,

• This totally depends on your architecture and requirements
• One such way of doing this is to leverage Virtual network Peering to group and isolate components by Vnet

The following documents may come in handy.

• https://learn.microsoft.com/en-us/azure/compliance/offerings/offering-pci-dss
• https://learn.microsoft.com/en-us/azure/governance/policy/samples/pci-dss-3-2-1

Thanks,
Kapil

----------------------------------------------------------------------------------------------------------------

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.