Azure App Service Compliance with PCI Standards 3.0 and 3.1

Original product version:   Web App (Windows)
Original KB number:   3124528

The Azure App Service is currently in compliance with PCI DSS version 3.0 Level 1. We have also noted customer requests that make reference to PCI DSS version 3.1, and specifically the change from version 3.0 to 3.1, which states that SSL and "early TLS versions " will no longer be considered valid security options from June 30, 2018. From June 30th, 2018, the multi-tenant hosting model for Azure App Service, will be accepting TLS 1.2 with an option for customers to select their required TLS encryption level.

What this means

PCI DSS version 3.1 certification requires disabling TLS 1.0. If you are using App Service Environments or are willing to migrate your workload to App Service Environments, you can get greater control of your environment including disabling TLS 1.0, for more information, see Custom configuration settings for App Service Environments.

More information

Microsoft regularly reviews standards compliance procedures and will periodically update compliance baselines as standards bodies update and change their requirements. As part of Microsoft's Fiscal 2017 compliance planning, PCI standards will again be re-reviewed and technical determinations will be made. To view the current certifications, technical determinations will be made. To view the current certifications, visit the Microsoft Azure Trust Center: Compliance site.