Compliance in Microsoft Cloud for Retail
Microsoft Azure, Microsoft Dynamics 365, Microsoft 365, and Microsoft Power Platform services and its underlying infrastructure employ a security framework that encompasses industry best practices and spans multiple standards. These standards include the ISO 27000 family of standards, among others. As part of our comprehensive compliance offering, Microsoft regularly undergoes independent audits performed by qualified partner accredited assessors.
To use Microsoft Cloud for Retail, you need to agree to the Online Service Terms and the Microsoft Privacy Statement as the qualifying license terms for Microsoft 365/Office 365, Dynamics 365, Microsoft Power Platform, and Azure.
The following table lists the products available with Microsoft Cloud for Retail and their compliance offerings:
| Product Family | Product | ISO 27001 | ISO 27017 | ISO 27018 | ISO 22301 | SOC2 Type 2 | PCI DSS Level 1 | GDPR |
|---|---|---|---|---|---|---|---|---|
| Dynamics 365 | Marketing | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Dynamics 365 | Customer Service | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Dynamics 365 | Customer Insights | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Dynamics 365 | Commerce | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Dynamics 365 | Connected Store | ✅ | ✅ | ✅ | ✅ | ✅ | - | ✅ |
| Dynamics 365 | Fraud Protection | ✅ | ✅ | - | - | - | ✅ | - |
| Dynamics 365 | Intelligent Order Management | ✅ | ✅ | ✅ | ✅ | ✅ | - | ✅ |
| Dynamics 365 | Intelligent Recommendations | - | - | - | - | ✅ | - | - |
| Dynamics 365 | Supply Chain Insights | - | - | - | - | - | - | - |
| Dynamics 365 | Supply Chain Management | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Dynamics 365 | Chat for Dynamics | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Microsoft 365 | Microsoft Teams | ✅ | - | - | - | - | - | - |
| Microsoft 365 | Viva Connections | - | - | - | - | - | - | - |
| Microsoft 365 | Viva Insights | - | - | - | - | - | - | - |
| Microsoft 365 | Viva Learning | - | - | - | - | - | - | - |
| Microsoft Azure | Azure Search | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Microsoft Azure | Azure Synapse Analytics | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Microsoft Clarity | - | - | - | - | ✅ | - | ✅ | |
| Power Virtual Agents | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | |
| PromoteIQ | - | - | - | - | - | - | ✅ |
Legend: ✅ = available
You can find more details about these offerings on our compliance page.
Elevated access
Microsoft internal policy allows Microsoft employees who have the appropriate security group membership to request temporary just-in-time elevated access so that they can perform servicing and support activities on production systems. The internal ticketing system tracks and reviews every just-in-time access request.
Disclaimer
It's important to understand that PCI DSS compliance status for Microsoft Cloud for Retail solutions doesn't automatically translate to PCI DSS certification for the services that customers build or host on these platforms. Additionally, Microsoft Cloud for Retail doesn't offer payment card processing as a service and thus doesn't use an acquirer. Customers are responsible for ensuring that they achieve compliance with PCI DSS requirements.
You can find the regulatory compliance standards that apply to certain features offered through the Microsoft Retail Add-On on the compliance dashboard. You can also visit our Trust Center to learn more about Microsoft’s commitments to data protection and privacy.
Resources
- Trust Center
- Microsoft 365 data residency and Privacy
- Azure data residency and Privacy
- Dynamics 365 and Power Platform data residency and Privacy
- Security in Microsoft Cloud for Retail