Microsoft Dynamics CRM Online Security and Service Continuity Guide

Published: July 2012
Updated: September 2013


This service description describes the security, continuity, and compliance policies and controls for the Microsoft Dynamics CRM Online service offering. The document is intended to provide Microsoft Dynamics CRM Online customers with an overview of how the Microsoft Dynamics CRM Online service is designed to provide a high degree of security, continuity, and compliance—service goals that are derived from the Microsoft Risk Management program. 

Platí pro

  • Microsoft Dynamics CRM Online

In this white paper

  • Introduction

  • Microsoft Dynamics CRM Online security

  • Microsoft Dynamics CRM Online service continuity

  • Microsoft Dynamics CRM Online compliance

  • Appendix A: Additional resources

  • Appendix B: Accessibility for Microsoft Dynamics CRM

  • Feedback


This section introduces the purpose and scope of the information provided in this paper.


Microsoft Dynamics CRM Online delivers the power of cloud productivity to businesses of all sizes, helping customers save time and money and free up valued resources. Microsoft understands that when customers allow an external service provider to store and manage their data, key considerations include security, data protection, privacy, and data ownership. Microsoft takes these concerns seriously and has applied its years of cloud and on-premises experience with security and privacy to the Microsoft Dynamics CRM Online service.


This service description describes the security, continuity, and compliance policies and controls for the Microsoft Dynamics CRM Online service offering. The document is intended to provide Microsoft Dynamics CRM Online customers with an overview of how the Microsoft Dynamics CRM Online service is designed to provide a high degree of security, continuity, and compliance—service goals that are derived from the Microsoft Risk Management program.


This paper can be downloaded from the Microsoft Download Center: Microsoft Dynamics CRM Online Security and Service Continuity Guide.

Microsoft Dynamics CRM Online security

The security architecture of Microsoft Dynamics CRM Online has been designed using key principles of the Microsoft Trustworthy Computing initiative. To ensure that customer data is highly safeguarded from risks and threats, Microsoft applies a common set of security policies to the Microsoft Dynamics CRM Online service through the Microsoft security program. The Microsoft Dynamics CRM Online service operates in compliance with these security policies and relevant industry standards. Microsoft is committed to continually improving and evolving the Microsoft Dynamics CRM Online service to ensure that customers are highly protected from current and future threats.

This section describes how Microsoft protects customers’ business data and delivers the Microsoft Dynamics CRM Online service securely and reliably.

Securing the Microsoft Dynamics CRM Online service

Microsoft helps comprehensively secure the Microsoft Dynamics CRM Online service by applying the Trustworthy Computing approach, which ensures that the security of the Microsoft Dynamics CRM Online service is vigilantly maintained, regularly enhanced, and routinely verified through testing.


For more information, see the page Foundations of Trustworthy Computing.

The Trustworthy Computing approach provides protection at multiple levels:

  • Physical layers at data centers: Physical controls, video surveillance, and access control.

  • Logical layers: Data isolation, hosted applications security, infrastructure service, network level, identity and access management, federated identity and single sign-on.

Physical security

Microsoft ensures that the environment in which the Microsoft Dynamics CRM Online customer’s data is stored is physically secured by controlling accessibility through multiple security checks. These physical security checks are applied at multiple levels in the Microsoft data centers, and the Microsoft Dynamics CRM Online service is delivered through carrier-class data centers that ensure consistent delivery according to the service-level agreement (SLA).

These data centers include the following industry-standard features:

  • Secure physical access for authorized personnel only: Access is restricted by job function so that only essential personnel receive authorization to manage customers’ applications and service. Physical access authorization utilizes multiple authentication and security processes: badge and smartcard, biometric scanners, on-premises security officers, continuous video surveillance, and two-factor authentication for physical access to the data center environment.

  • Redundant power supplies, including two separate power feeds into each data center, battery backup, and diesel generators (with alternative fuel delivery contracts in place).

  • Climate control to ensure that equipment runs at optimal temperature and humidity.

  • Natural disaster control, including seismically braced racks where required and fire prevention and extinguishing systems.

  • Physical monitoring, including motion sensors, 24-hour secured access, video camera surveillance, and security breach alarms.

  • Worldwide Microsoft data center locations: The Microsoft Dynamics CRM Online service is deployed in Microsoft data centers that are located around the world, and offer geographically local hosting with global availability.

  • Secure network design and operations: The networks within the Microsoft data centers are designed to create multiple separate network segments within each data center. This segmentation helps to provide physical separation of critical, back-end servers and storage devices from the public-facing interfaces.

  • Exceptional hardware: The underlying hardware used in Microsoft data centers is specifically designed to operate as efficiently, effectively, and securely as possible. The hardware helps Microsoft eliminate unnecessary costs, save power and space consumption, and pass on these savings to Microsoft Dynamics CRM Online customers.

Logical security

Logical security in Microsoft Dynamics CRM Online is just as important as physical security. In Microsoft Dynamics CRM Online, the following key features provide logical security.

  • Data isolation: Data storage and processing is logically segregated among customers. The multitenant security architecture ensures that customer data stored in shared Microsoft Dynamics CRM Online data centers is not accessible by or compromised to any other organization. Each tenant is provisioned their own database, which ensures isolation from other customer data. In addition, tenants are isolated from each other based on security boundaries which are enforced logically through the Microsoft Dynamics CRM Online middle tier.

  • Hosted applications security: Microsoft ensures that applications hosted by Microsoft data centers are highly protected by robust security features and security measures that control access, which are described in the following table.

    Feature Description

    Customizable security roles

    Govern user access and the actions they can perform.

    Business data auditing

    Allow organizations to maintain an audit trail that demonstrates accountability from beginning to end.

    Field-level security

    Control the permission of users and teams to read, create, or write in a data field.

    Role-based forms

    Control the visibility of data for a specific record type.


    For guidelines and best practices associated with setting up these features in Microsoft Dynamics CRM Online, see the Microsoft Dynamics CRM Online Security and Compliance Planning Guide.

  • Security Development Lifecycle: Microsoft applies Security Development Lifecycle, a software security assurance process, to design, develop, and implement the Microsoft Dynamics CRM Online service. Security Development Lifecycle helps to ensure that the service is highly secured—even at the foundation level.

    Through controls like Establish Design Requirements, Analyze Attack Surface, and Threat Modeling, the Security Development Lifecycle helps Microsoft to identify:

    • Potential threats while running a service.

    • Exposed aspects of the service that are open to attack.

    If potential threats are identified at Design, Development, or Implementation phases, Microsoft can minimize the probability of attacks by restricting service or eliminating unnecessary functions. After eliminating unnecessary functions, Microsoft reduces these potential threats in the Verification phase by fully testing the controls in the Design phase.

  • Secured Microsoft Dynamics CRM Online service infrastructure: Infrastructure-level security measures include:

    • Extensive server monitoring support integrated with the overall Microsoft System Center Operations Manager monitoring architecture.

    • Secure remote access via Microsoft Windows Server Remote Desktop Service.

    • Multi-tier administration, using a three-tier administration model that isolates administrative tasks and controls access based on user role and the level of authorized administrative access.

    • Environmental security scanning to monitor for vulnerabilities and incorrect configuration.

    • Intrusion detection systems to provide continuous monitoring of all access to the Microsoft Dynamics CRM Online service. Sophisticated correlation engines analyze this data to immediately alert staff of any “suspicious” connection attempts.

    • Security standards for operating systems to help protect the Microsoft Dynamics CRM Online service from attack by malicious users or malicious code, including disabling nonessential services, securing file shares to require authorization, and implementing the Data Execution Prevention (DEP) feature. DEP is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running.

    • Systems management and access control using Active Directory. Active Directory manages networks and component servers that run the Microsoft Dynamics CRM Online service. Applications that provide the online service are designed to operate efficiently and effectively within the Active Directory environment.

    • Central management of security policies. The Microsoft staff manages and enforces security policies centrally from secured servers that are dedicated to controlling and monitoring network-wide systems. A delegated management model enables administrators to have only the access they need to perform specific tasks, reducing the potential for error and allowing access to systems and functions strictly on an as-needed basis.

    • New servers can be quickly and safely configured, and template-based server hardening ensures that new capacity is brought online with security measures already in place.

  • Network-level security measures: These measures include features related to providing a highly secured connection over the Internet:

    • Customer access to service provided over the Internet originates from users’ Internet-enabled locations and ends at a Microsoft data center. These connections established between customers and Microsoft data centers are encrypted using industry-standard Transport Layer Security (TLS) /Secure Sockets Layer (SSL), which effectively establishes a highly secure browser-to-server connection to help provide data confidentiality and integrity between the desktop and data center.

    • A redundant network provides full failover capability and helps ensure 99.9 percent network availability.

    • All remote connections by Microsoft operations personnel must be made via Remote Desktop Service and two-factor authentication.

  • Identity and access management: Access to the systems hosting the Microsoft Dynamics CRM Online service is controlled through the following methods:

    • Staff-level access control: Data center staff’s access to the IT systems that store customer data is strictly controlled. Access control follows the separation of duties principle and granting least privilege.

    • Proactive host security: Microsoft Dynamics CRM Online security is enhanced by proactively securing the host system.

      • Server hardening by disabling unnecessary service

      • Logging and auditing

    • Restricted access to service:

      • Content inspection

      • Hardened servers

      • Sessions better protected by SSL/TLS


    Mobile device access depends on wireless capability or mobile network availability.

  • Federated identity and single sign-on: With on-premises Active Directory, administrators can use single sign-on for Microsoft Dynamics CRM Online service authentication. To achieve this, administrators can configure on-premises Active Directory Federation Services—a Windows Server service—to federate with the Office 365 services federation gateway. After Active Directory Federation Services is configured, all Microsoft Dynamics CRM Online users whose identities are based on the federated domain can use their existing corporate logon to automatically authenticate to Microsoft Dynamics CRM Online.


For more information, see the Office 365 Identity Service Description, which is one of the Office 365 for Enterprise Service Descriptions.

Delivering reliable service

To ensure the reliability of the Microsoft Dynamics CRM Online service, Microsoft focuses on effective deployment, administration, and maintenance.

  • Operations management and service deployment: Operations is a key component of the Microsoft Dynamics CRM Online service and is central to overall security and availability. Operations management practices for Microsoft Dynamics CRM Online (for example, change management, incident and problem management) are based upon industry-standard principles of the Information Technology Infrastructure Library (ITIL). Microsoft has added the Microsoft Operations Framework (MOF)—a standardized implementation of ITIL recommendations—which provides an integrated set of best practices, principles, and activities that help organizations achieve reliability for their IT solutions and service.

  • Microsoft Dynamics CRM Online maintains a dedicated security organization that is focused on constant security vigilance, with a staff that follows the principles defined in MOF. The security team adheres to the following functions defined by ITIL and applies them to the operation of the Microsoft Dynamics CRM Online service:

    • Change management

    • Incident management

    • Problem management

    In addition, the Microsoft Dynamics CRM Online service requires distinct hosted service development, deployment, and operations staff to adhere to the principle of segregation of duty. This includes controlling access to the source code, build servers, and production environment. For example:

    • Access to the Microsoft Dynamics CRM Online service production environment is restricted to operations personnel. Development and test teams may be granted temporary access to help troubleshoot issues.

    • Access to the Microsoft Dynamics CRM Online service source code control is restricted to development personnel; operations personnel cannot change source code.

  • Monitoring and risk reduction: Microsoft makes significant investments in developing tools and services for monitoring Microsoft Dynamics CRM Online and its environment.

    • Microsoft System Center Operations Manager: Servers within the Microsoft Dynamics CRM Online service environment are configured to maximize the reporting of security events from the operating system and applications. The Microsoft Dynamics CRM Online service operations team uses the latest technology and optimized processes to harvest, correlate, and analyze information as it is received. System Center Operations Manager is an end-to-end service management environment that integrates with platform and service hardware and software to provide continuous health monitoring. System Center Operations Manager management packs provide internal transaction monitoring, capabilities for looking at service threshold models, and CPU utilization analysis that is tailored to the Microsoft Dynamics CRM Online service applications. In addition, custom management packs are layered above the Microsoft Dynamics CRM Online platform to provide operations staff with very specific information that helps identify trends and predict behavior that may require proactive intervention.

    • Integrated infrastructure and web performance monitoring: System Center Operations Manager data is combined with feeds from additional specialized tools and service to capture, aggregate, and analyze the network that operates Microsoft Dynamics CRM Online service as well as the behavior of key sites on the Internet. For example, if connectivity begins to degrade, staff can identify whether the problem is internal to the Microsoft Dynamics CRM Online service or caused by conditions on the Internet that may represent a risk to Microsoft Dynamics CRM Online customers.

    • Hardware and software subsystems monitoring: Proactive monitoring continuously measures the performance of key subsystems of the Microsoft Dynamics CRM Online service platform against the established boundaries for acceptable service performance and availability. When a threshold is reached or an irregular event occurs, the monitoring system generates warnings so that operations staff can address the threshold or event.

Microsoft Dynamics CRM Online service continuity

Service continuity management focuses on the ability to restore service for Microsoft Dynamics CRM Online customers in a predetermined timeframe during a critical service outage. Achieving restored service requires preparation, planning, technical implementation, exercises that simulate outages, and execution at the time of an incident.

This section describes the common approach to service continuity management that is taken by Microsoft Dynamics CRM Online. It also explains how Microsoft Dynamics CRM Online ensures data availability and service reliability to customers. This section also explains how service continuity capabilities developed by Microsoft are integrated into the design of the Microsoft Dynamics CRM Online service.

Service continuity management

Microsoft Dynamics CRM Online is delivered by highly resilient systems that help to ensure high levels of service. Microsoft Dynamics CRM Online capitalizes on the experience that Microsoft has in hosting services as well as close ties to Microsoft product groups and support service to create a service that meets the high standards that customers demand.

Part of the Microsoft Dynamics CRM Online system design, service continuity provisions enable Microsoft Dynamics CRM Online to recover quickly from unexpected events such as hardware or application failure, data corruption, or other incidents that affect users. These service continuity solutions also apply during catastrophic outages (for example, natural disasters or a fire within a Microsoft data center that renders the entire data center inoperable).

Incident classification

Service outages may be caused by hardware or software failure in the Microsoft data center, a faulty network connection between the customer and Microsoft, or a major data center challenge such as fire, flood, or regional catastrophe. Most service outage incidents can be addressed using Microsoft technology and process solutions and are resolved within a short time. However, some incidents are more serious and can lead to long-term outages.

To classify outage incidents, as minor, critical, and catastrophic events based on their impact to customers, Microsoft Dynamics CRM Online uses the Service Interruption Scale, which is shown in the following graphic:

CRM Online Service Health Dashboard

Catastrophic outages and declarations of disaster

Microsoft Dynamics CRM Online analyzes each incident that affects service availability to determine scope and possible solutions. Outages that cause customer work to stop may be considered catastrophic outages. In addition, outages that are classified as a critical or catastrophic event based on the Service Interruption Scale may be declared disasters.


Declaration of a disaster does not automatically result in failover of a customer’s redundant secondary site.

The Service health dashboard

Customers using the Microsoft online services portal to manage their Microsoft Dynamics CRM Online deployments are notified of service interruptions and via the Service health dashboard, which is shown in the following graphic:

Service health dashboard

When an outage is declared a disaster, regular customer notifications are provided through the Service health dashboard (for customers managing their Microsoft Dynamics CRM Online subscription through the Microsoft online services portal) until a solution is found.

Responsibilities during a service outage

During a system outage, Microsoft’s responsibilities include:

  • Providing contact information in the form of a single email group alias and phone number so that the customer can engage appropriate personnel at the time of an event to review current status of the outage, disaster declaration criteria, and approval or disapproval of failing over to the secondary site.

  • Incorporating feedback from the customer to decide whether to fail over to the customer’s secondary site.

Ensuring data availability

Microsoft ensures customer data is available whenever it is needed, with the help of the following features of Microsoft Dynamics CRM Online service.

Data storage and redundancy

Customers’ data is stored in a redundant environment with robust backup, restore, and failover capabilities to enable availability, business continuity, and rapid recovery. Multiple levels of data redundancy are implemented, ranging from redundant disks to guard against local disk failure to continuous, full data replication to a geographically diverse data center. As an additional safeguard, Microsoft performs daily back-ups to a secure, offsite location.

Data monitoring and maintenance

Along with the safeguards in place against avoiding data loss, Microsoft Dynamics CRM Online service policies help to maintain data performance levels.

  • Monitoring databases: Databases are regularly checked for blocked processes and long-running queries.

  • Preventative maintenance: Maintenance includes refreshing indexes, reviewing error logs, and monitoring storage capacity levels.

Dedicated support

The Microsoft Dynamics CRM Online development and operations teams are complemented by a dedicated Microsoft Dynamics CRM Online support organization, which plays an important role in providing customers with business continuity. Support staff has a deep knowledge of the service and its associated applications as well as direct access to Microsoft experts in architecture, development, and testing.

The support organization closely aligns with operations and product development, offers fast resolution times, and provides a channel for customers’ voices to be heard. Feedback from customers provides input to the planning, development, and operations processes.

  • Online issue tracking: Customers need to know that their issues are being addressed, and they need to be able to track timely resolution. For customers using the Microsoft online services portal to manage their Microsoft Dynamics CRM Online deployments, the portal serves as a single web-based interface for support. Customers can use the portal to add and monitor service requests and receive feedback from Microsoft support teams.


    Customers not using the Microsoft online services portal can track and follow their issues via the CRM Help & Training link for support access.

  • Self-help, backed by continuous staff support: Microsoft Dynamics CRM Online offers a wide range of self-help resources and tools that can help customers to resolve service-related issues without requiring Microsoft support. Before customers enter service requests, they can access knowledge base articles and FAQs that provide immediate help with the most common problems. These resources are continually updated with the latest information, which helps avoid delays by providing solutions to known issues. However, when an issue arises that needs the help of a support professional staff members are available through online communication to cover most situations and by telephone for mission critical needs.

Microsoft Dynamics CRM Online compliance

Microsoft has designed security, data protection, reliability, and privacy of the Microsoft Dynamics CRM Online service around high industry standards. Microsoft Dynamics CRM Online and the infrastructure on which it relies (Microsoft Global Foundation Services) employ security frameworks based on the International Standards Organization (ISO/IEC 27001:2005) family of standards and are ISO 27001 certified by independent auditors. Our ISO 27001 certifications enable customers to evaluate how Microsoft meets or exceeds the standards and implementation guidance against which we are certified.

BSI auditing professionals are bound by professional ethics to provide an unbiased, third-party analysis of Microsoft Dynamics CRM Online compliance. To make this evaluation, they observe routine operations, interview relevant personnel, and review documentation in each of the areas covered in the Statement of Applicability (SOA). ISO 27001 defines how to implement, monitor, maintain, and continually improve the Information Security Management System (ISMS). In addition, both the service and the infrastructure undergo yearly audits resulting in SOC 1 type II reports (SSAE16).

The Microsoft Online Service Information Security Policy, which is applicable to Microsoft Dynamics CRM Online, aligns with International Organization for Standards ISO 27002 augmented with requirements that are specific to online services. The ISO 27001 certification which Microsoft has received is supplemented by ISO 27002, which provides a suggested set of suitable controls.

Microsoft Dynamics CRM Online customers can review the ISO standard and published Microsoft service documentation to determine whether their security requirements are satisfied. Microsoft Dynamics CRM Online features enhanced security for most types of data and jurisdictions.


For more information, see the white paper Standard Response to Request for Information – Security and Privacy.

However, customers must evaluate sensitive data, or data that must be held to a certain level of security or under applicable regulations, for use through the service offering. In some instances, the data may require a specific security requirement that Microsoft does not provide.

Please note that the Microsoft Dynamics CRM Online ISO 27001 certified security framework (“Security Framework”) does not expand to or cover online services or software provided by Microsoft or other third parties that connect to Microsoft Dynamics CRM Online. Subject to your direct control, Microsoft Dynamics CRM Online connects to other Microsoft software or services and third party services whose privacy and security practices differ from those of Microsoft Dynamics CRM Online. These additional services and software include but are not limited to Microsoft Dynamics CRM Online for supported devices (i.e. tablets and smart-phones), Směrovač e-mailů aplikace Microsoft Dynamics CRM Microsoft Dynamics CRM Resource Center, Microsoft Office, Office365, Yammer Enterprise, Bing Maps, Skype,, Microsoft Dynamics CRM Activity Feeds/Mobile Express, Marketing Pilot, and Microsoft Dynamics Marketing. Connecting Microsoft Dynamics CRM Online to these online services will enable certain data to be shared outside the scope of the Security Framework. Different use and privacy policies apply to data shared with and received by these software and online services. We encourage you to review these other use and privacy policies.

Support for leading industry certifications

Microsoft was first certified for Safe Harbor in 2001, and the LCA Regulatory Affairs team recertifies compliance with the Safe Harbor Principles every 12 months.

In addition to EU Member States, members of the European Economic Area (Iceland, Norway, and Liechtenstein) also recognize Safe Harbor members as providing adequate privacy protection to justify trans-border transfers from their countries to the U.S. Switzerland has a nearly identical agreement (Swiss-U.S. Safe Harbor) with the U.S. Department of Commerce to legitimize transfers from Switzerland to the U.S., to which Microsoft has also certified.

Several other countries, such as Canada and Argentina, have passed comprehensive privacy laws and the EU has cleared them for data transfer from the EU to those countries.

  • EU Model Clauses*. In addition to EU Safe Harbor, Microsoft Dynamics CRM Online is willing to sign the standard contractual clauses created by the European Union (called the “EU Model Clauses”), which address international transfer of data. The EU Model Clauses are standardized contractual terms approved by the European Commission that allow for the transfer of personal data out of the EU. They include additional security and notice requirements that a service is willing to contractually commit to in order to support customers. When included in service agreements with data processors, the Model Clauses assure customers that appropriate steps have been taken to help safeguard personal data, even if data is stored in a cloud-based service center located outside the European Economic Area. Committing to operate under the Model Clauses creates additional operational requirements for Microsoft, which Microsoft has met by building exacting processes to comply with these requirements.

  • HIPAA/HITECH-Business Associate Agreement*. Microsoft Dynamics CRM Online is also willing to sign requirements for the Health Insurance Portability and Accountability Act of 1996 (HIPPA)/Health Information Technology for Economic and Clinical Health Act (HITECH) Business Associate Agreement with all customers. HIPAA/HITECH are U.S. laws that govern the security and privacy of personally identifiable health information stored or processed electronically. This information is referred to as electronic protected health information (ePHI). HIPAA refers to healthcare providers, payors and clearing houses that use or process ePHI as covered entities. Under HIPAA/HITECH, covered entities must implement mandated physical, technical and administrative safeguards to protect ePHI. Certain service providers that store or process ePHI on behalf of covered entities are called business associates. Covered entities must ensure that their business associates implement similar security and privacy safeguards. In most circumstances, for a covered healthcare company to use a service such as Microsoft Dynamics CRM Online, in which ePHI could be stored or processed, the service provider will be a business associate and must agree in writing to implement required safeguards set out in HIPAA/HITECH. This written agreement is known as a Business Associate Agreement (BAA).

  • Data Processing Agreement*. Article 17 of the EU Data Protection Directive (Directive 95/46/EC of the European Parliament) requires data controllers (typically customers loading data onto an online service) to have a written agreement with data processors obligating the data processor to follow the instructions of the data controller and to provide sufficient security measures to protect the data being processed. These are called Data Processing Agreements ("DPA"). Some EU member states require additional terms in DPAs beyond the baseline requirements of the EU Data Protection Directive. Microsoft offers customers a comprehensive standard Data Processing Agreement that addresses privacy, security and handling of Customer Data. Our standard Data Processing Agreement enables customers to comply with their local privacy regulatory requirements.

*Applicable to Microsoft Dynamics CRM Online customers who manage their Online Services through the Microsoft online services environment.


For additional detail about Microsoft Dynamics CRM Online support for leading industry certifications, see the Microsoft Dynamics CRM Online Service Trust Center.

The Gramm Leach Bliley Act (GLBA) sets minimum security and privacy requirements for financial institutions in the United States. Software/ service cannot claim to be “GLBA compliant” because GLBA compliance also requires procedures and policies. Two of the principal regulations under GLBA that affect the Microsoft Dynamics CRM Online service are:

  1. Financial Privacy Rule: Governs the collection and disclosure of customers’ personal financial information by financial institutions.

  2. Safeguards Rule: Requires all financial institutions to design, implement, and maintain safeguards to protect customer information, whether they collect such information themselves or receive it from other financial institutions.

Microsoft Dynamics CRM Online ordering, billing, and payment systems that handle credit card data are Level One Payment Card Industry (PCI) Compliant, and customers can use credit cards to pay for the service with confidence. An independent third party audits and determines whether the commerce platform that supports Microsoft Dynamics CRM Online has satisfactorily met the Payment Card Industry Data Security Standard (PCI DSS) version 1.2.

The Microsoft Dynamics CRM Online service is not suitable for processing, transmitting, or storing PCI-governed data. PCI-DSS is an industry standard designed to protect and maintain sensitive data during transmission and storage throughout the data life cycle. At a minimum, organizations that support transactions via credit and debit cards are required to have a degree of compliance to the PCI standard.

There is confusion in the marketplace around the impact of PCI DSS; many customers state that all data within their organizations requires PCI certification and compliance, and that the online service must also demonstrate compliance. While Microsoft does need to be compliant for the Primary Account Number (PAN) data it processes, and it is, customers should not use the Microsoft Dynamics CRM Online service to transmit or store PAN data for their own use.


PCI compliance will only apply if Primary Account Number (PAN) is transmitted or stored within the online environment. To be compliant, the PAN data must be encrypted during transmission and storage. In addition, reporting must demonstrate that this encryption has successfully protected the PAN data. As a result, the service is not a suitable storage medium for PAN data, and companies should apply customer-side policies to prevent the transmission of PAN data to the online environment. To integrate transaction information, customers may choose to use a PCI validated payment gateway service, which stores and processes the PAN data.


With the Microsoft Dynamics CRM December 2012 Service Update, the Microsoft Dynamics CRM Online service now operates in a FIPS 140-2 compliant manner.

Appendix A: Additional resources

For additional information related to Microsoft Dynamics CRM Online security and service continuity, see the following resources.

Microsoft Dynamics CRM Online

Security and operations

Appendix B: Accessibility for Microsoft Dynamics CRM

Administrators and users who have administrative responsibilities typically use the Settings area of the Microsoft Dynamics CRM Web application to manage Microsoft Dynamics CRM. A mouse and keyboard are the typical devices that administrators use to interact with the application.

Users who don’t use a mouse can use a keyboard to navigate the user interface and complete actions. The ability to use the keyboard in this way is a result of support for keyboard interactions that a browser provides.

For more information, see the following Microsoft Dynamics CRM Web application accessibility topics:

Administrators and users who have administrative responsibilities for on-premises deployments of Microsoft Dynamics CRM 2013 also use Správce nasazení aplikace Microsoft Dynamics CRM, a MMC (Microsoft Management Console) application, to manage on-premises deployments of Microsoft Dynamics CRM Server 2013.

For more information, see the following MMC (Microsoft Management Console) accessibility topics:

Accessibility features in browsers

Browser Documentation

Aplikace Internet Explorer

Microsoft Accessibility

Language Support and Accessibility Features

Mozilla Firefox

Accessibility features in Firefox

Apple Safari


Google Chrome

Accessibility Technical Documentation


For additional information, see the Microsoft Accessibility Resource Center


We appreciate hearing from you. To send your feedback, click the link below and type your comments in the message body.


The subject-line information is used to route your feedback. If you remove or modify the subject line, we may be unable to process your feedback.

Send feedback

Send comments about this article to Microsoft.

© 2015 Microsoft. All rights reserved.