Does Microsoft 365 Support PCI DSS Compliance?

One concern when using cloud services is whether your service of choice supports PCI DSS compliance. If you are handling any kind of financial information, credit card companies require PCI compliance. This is intended to protect you and your customers and reduce fraud.

In today’s world, accepting credit cards online is vital for almost all businesses, and businesses need to ensure that they meet the right standards of security. Even large companies are hit by high profile data breaches, but cybercriminals love to target small businesses that might not have their security standards up to where they should be.

What Is PCI DSS?

As online credit card transactions started to become popular, the major credit card companies founded the PCI Security Standards Council to ensure that all merchants follow best practices on security policies and practices to reduce fraud and protect consumers.

This means that everyone is using the same security standards and the council provides educational resources to help you reach compliance. PCI also ensures that you are compliant with local regulations across the globe, which results in slightly different standards in different countries. However, much of the overall framework is the same.

A failure to comply can result in a loss of ability to process payments and can also impact your customers. PCI DSS (Payment Card Industry Data Security Standard) is not just a requirement, but a good idea, giving you access to cohesive standards that have been developed over years through collaboration between credit card companies, vendors, and financial institutions. This forms a set of proven best practices that help you avoid problems.

There is a related standard, PA DSS, which is only used for software vendors developing third-party card authorization applications, and thus this does not apply to cloud services. This can sometimes result in some confusion, but for right now all you need to know is that it does not apply to your cloud storage and processing of financial information.

PCI DSS Compliance

Microsoft 365 used to explicitly say it was not PCI compliant and, thus, shouldn’t store sensitive financial information. This is still true of basic 365 cloud services, as they are not designed to process credit cards. However, there is still a high level of compliance to security protocols. However, primarily due to the heavy use of their high-end services by the government, they have now taken steps to support PCI compliance. These steps don’t make your use of Microsoft services compliant out-of-the-box but are part of how they protect themselves and you from security issues. Because of the “flow-down”, some of their compliance is available to you and other customers using Microsoft’s various cloud services.

How Does Microsoft 365 Support PCI DSS Compliance?

As a major cloud provider, Microsoft has made a strong effort to ensure that its systems and services are PCI compliant. Every year, Microsoft conducts an audit with a Qualified Security Assessor, who makes sure their services meet the high standards needed. Because of the volume of transactions, they have to be compliant with PCI DSS version 3.2 at Service Provider Level 1. This is the highest level of service provider certification. Generally, small businesses generally fall into level 3 (20,000 to 1 million transactions) or level 4 (fewer than 20,000). This means that Microsoft’s services are compliant to a higher level than you are likely to need. (As an aside, this also protects your financial data as a Microsoft customer.)

Azure

This provides a support framework, and Microsoft also has a PCI DSS Blueprint for Azure. PCI DSS Blueprint helps their customers with tools including reference architectures and scripts to help them get compliant quickly. This blueprint is intended for customers doing heavy processing and storage of data through Azure. As Azure is also used by governments, it has to meet certain high standards in general, and this allows even the Azure Public cloud to provide a high level of security and peace of mind.

To verify compliance, Microsoft provides Attestations of Compliance for Azure and OneDrive for Business and SharePoint Online. Note that you need to have a Microsoft 365 for Business account to view these links. The documents are designed as proof that the services are indeed compliant. Also note that Azure has three different AoCs, Public, Germany, and Government, so make sure you use the right one. The 2018 date on the AoC cover page refers to the template; you can check the date of the most recent audit in Section 2. Because of this, if there is a weak link in your PCI compliance, it’s not Microsoft’s services. You simply have to make sure you are using them correctly.

Compliance Manager

To help you out. Microsoft offers a Compliance Manager that provides a template for assessing your compliance needs and risks. You can find the Compliance Manager in the Microsoft 365 compliance center. All organizations with Office 365 and Microsoft 365 licenses have access to the Compliance Manager. The score it provides does not guarantee compliance, but rather helps reduce your risk. It’s somewhat similar to website speed and security tools, plus it is easy to use. Any company using Microsoft service to store sensitive information should use the Compliance Manager to audit their security. However, it should not be considered a comprehensive audit as it won’t catch everything. Indeed, it is intended primarily to make sure customers are not making elementary mistakes.

One final note, OneDrive for Business and SharePoint Online are only PCI DSS compliant within the United States. Microsoft is planning on rolling out compliance in other countries, but there is no predicted date. Many European countries have very specific standards that can make PCI compliance more of a challenge. If you do a lot of international business, your best option is to ensure that credit card numbers and similar data are not stored in the cloud or to use a different provider that obscures credit cards from your systems.

For businesses in the United States, however, Microsoft offers a solid framework to develop and support compliance. This also benefits Microsoft because of the shared responsibility model.

Shared Responsibility

Does Microsoft 365 Support PCI DSS Compliance? Shared responsibility is when compliance responsibility is split between you and the service provider. This applies only if the environment you are using has “flow-down”. That is to say, when you are benefiting from the frameworks set up by Microsoft. There are 396 total controls in Compliance Manager, of which Microsoft manages 208. This significantly reduces your effort spent on compliance and it reduces your risk of legal consequences if you do experience a data breach affecting financial information you are storing in the cloud.

What Is Microsoft Responsible For?

In basic terms, where Microsoft is responsible for the controls, Microsoft is also responsible for the regulatory burden. This is a major benefit of using a compliant cloud. If Microsoft has a problem that results in a data breach, all fines and lawsuits aim at them. Then, you won’t have to worry about regulatory issues, although notifying your customers is still good service and PR. However, this does not protect you from non-compliance using tools and controls that you manage.

This means that you need to have a good understanding of flow-down. For example, Microsoft provides DFARS flow-down in GCC High, but not GCC Moderate. Thus, if you want to take advantage of this, you will need to upgrade to a higher level. However, the higher level aids government use and, thus, has some of its own restrictions. Thankfully, this is not something most companies have to worry about, but it does help to understand flow-down and how it might affect your compliance. It’s important to be aware of what is your responsibility and what is taken care of by the cloud provider.

For PCI DSS specifically, OneDrive for Business and SharePoint Online is all you need to benefit from shared responsibility. Although, these systems are not designed for credit card processing, which reduces the amount of flow-down available. This also applies to Microsoft Cloud App Security, Dynamics 365, and Microsoft Defender for Endpoint. Because of the flow down, it does not translate to your own built or host services. For these, you have to ensure compliance, but for which Microsoft’s blueprints are useful. Remember that it is in Microsoft’s interests to ensure that the services they provide are compliant and support compliance.

Learn More About PCI DSS Compliance

Microsoft helps you be PCI compliant when using their services, but you should not use Office 365 to store and process credit card numbers. If using Azure services, you should use their blueprints and Compliance Manager to help ensure that the software you are hosting on their service is compliant.

If you are using cloud services and worried about PCI DSS compliance, Agile IT can help you. Our AgileAdvisor service provides initial and ongoing guidance to help you stay secure and compliant as you move to the cloud. Contact us to schedule a free consultation.

Published on: .

This post has matured and its content may no longer be relevant beyond historical reference. To see the most current information on a given topic, click on the associated category or tag.