Whether Azure App Service Compliant with PCI Standard 3.0 and 3.1?
Currently, the Web Apps feature of Azure App Service is in compliance with PCI Data Security Standard (DSS) version 3.0 Level 1. PCI DSS version 3.1 is on our roadmap. Planning is already underway for how adoption of the latest standard will proceed.
PCI DSS version 3.1 certification requires disabling Transport Layer Security (TLS) 1.0. Currently, disabling TLS 1.0 is not an option for most App Service plans. However, if you use App Service Environment or are willing to migrate your workload to App Service Environment, you can get greater control of your environment. This involves disabling TLS 1.0 by contacting Azure Support. In the near future, we plan to make these settings accessible to users.
For more information, see Microsoft Azure App Service web app compliance with PCI Standard 3.0 and 3.1.
Please let us know if you have further questions.
In the provided url above following remark can be found:
PCI DSS version 3.1 certification requires disabling Transport Layer Security (TLS) 1.0. Currently, disabling TLS 1.0 is not an option for most App Service plans.
It is not clear if "most AppService plans" support PCI x.y. or not. AppService environment is different offering, which does support PCI 3.1.
However most people focus AppService. In this context, I it is not clear if, what and how exactly PCI can be achieved?
My suggestion is to provide here a bit more transparent and concrete answer related to AppService.
It's important to remember that your solution will not just involve App Service and you need to look at all of the services when attempting to map to compliance controls.
I would start at the Microsoft Trust Center. If you are part of a corporate security and compliance team, that site is your friend.
From there you can get to the PCI-DSS overview page, from which you can get to a number of resources, including the Attestations of Compliance for Azure Services.
The Azure PCI DSS Responsibility Matrix will help you identify what you are responsible for vs. what Microsoft is responsible for in establishing your controls. To help with some of the control mapping and enforcement, there is also an Azure Blueprint that you might be able to leverage.
Hope this helps.
2 people are following this question.