PCI DSS compliance for your Azure hosted SaaS

[Editor’s Note] PCI DSS is changing in 2024. Find out everything you need to know about the new PCI DSS 4.0 requirements, including the key dates for PCI DSS compliance, in our latest blog post now: PCI DSS 4.0 and Penetration Testing – What You Need to Know
Cloud computing has brought in a paradigm shift and transformed how organizations across the globe offer their services. Instead of setting up physical infrastructure, most organizations prefer moving to a cloud environment for on-demand access to resources. Cost-effectiveness and minimal management requirements further push SaaS providers to rely on cloud infrastructure, as compared to physical infrastructure. Because of the economies of scale, cloud service providers can provide a wide range of resources to their clients. Other prominent benefits include agility, redundancy, high availability, disaster recovery, and business continuity. Microsoft Azure is one of the leading cloud service providers, and in this article, we explore PCI DSS requirements for your Azure-hosted SaaS.

Is Azure compliant with PCI DSS?

Microsoft Azure states that its services comply with more than 90 compliance certificates across the globe and industries. As per Microsoft’s documentation, an approved Qualified Security Assessor (QSA) has reviewed Azure, OneDrive for Business, and SharePoint Online, and it has certified these services as compliant with PCI DSS version 3.2 for the highest volume of transactions (Service Provider Level 1: 6 million+ transactions a year).

Azure customers can use the Attestation of Compliance (AoC) and Report on Compliance (RoC) issued by the QSA. Microsoft customers can use these validations for developing cardholder data environments (CDEs) or card processing services to reduce the costs and efforts involved in achieving PCI DSS certification. At the same time, it clarifies that PCI DSS compliance status for services mentioned above does not translate to PCI DSS certificate for services built or hosted by customers on these platforms. Customers remain responsible for achieving compliance with PCI DSS requirements. If you have hosted your SaaS solution on Azure, you can use this control mapping blueprint for PCI DSS v3.2.1 to get started with your compliance project.

Sharing of responsibilities and complying with PCI DSS requirements

Figure 1: Level of control/responsibility for client and CSP across different service models (Source: PCI SSC)

Given that you are a SaaS provider, you will either avail Platform-as-a-Service (PaaS) or Infrastructure-as-a-Service (IaaS) from Azure. While it is true that lines are blurring between SaaS, PaaS, and IaaS, PaaS services enable organizations to deploy their applications on cloud infrastructure using tools, , languages, and libraries supported by a cloud service provider. A PaaS frservicesamework gives the ability to build upon, develop from scratch, or customize applications for streamlining the development, testing, and deployment of applications. A PaaS platform generally provides OS, DBMS, server software, storage, design and development tools, hosting, network access, server-side scripting environment, and support.

On the contrary, an organization is entirely responsible for environment configuration in an IaaS environment. Besides, you will also be responsible for implementing security measures for defending your IaaS against cyber attacks. IaaS platforms require a tremendous amount of effort to maintain: from anti-virus solutions to user management to file integrity monitoring.

Figure 2: Control assignment between a CSP and its clients across service models (Source: PCI SSC)

A SaaS offering in the cloud environment reduces PCI DSS compliance requirements while IaaS substantially increases the costs and efforts for demonstrating compliance. For any cloud service provider, an organization must perform required due diligence to check the CSP’s compliance with required standards, regulations, and laws.

Besides, the PCI Security Standards Council has also published an information supplement document to help organizations understand how responsibilities can be shared between a cloud service provider and its clients.

Figure 3: Sharing of responsibilities between a CSP and its clients (Source: PCI SSC)

Figure 2 is another example where PCI SSC provides an example of how security controls can be assigned between a CSP and its clients. At the same time, it recognizes that technology layers and responsibilities may differ for CSPs and may not incline with Figure 2 conveys. On similar lines, PCI SCC provides an example of how PCI DSS requirements can be shared between a CSP and its clients across different service models.

Being a SaaS provider, we accept that the concept of shared responsibility is a difficult path to navigate. While some of the PCI DSS requirements are straightforward to define scope and boundaries, many requirements can overlap if they are not defined at the beginning of a contractual relationship.

Are you struggling with your PCI DSS compliance program? Get in touch with our security experts today to understand how BreachLock ensures that you have a single managed service covering security testing and PCI ASV-certified scans for your organization.