question

bharathn-msft avatar image
1 Vote"
bharathn-msft asked ·

Is Azure App Service Compliant with PCI Standard 3.0 and 3.1?

Whether Azure App Service Compliant with PCI Standard 3.0 and 3.1?

Sourced from FAQ

azure-webappsazure-webapps-security
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Grmacjon-MSFT avatar image
0 Votes"
Grmacjon-MSFT answered ·

Hello,
Currently, the Web Apps feature of Azure App Service is in compliance with PCI Data Security Standard (DSS) version 3.0 Level 1. PCI DSS version 3.1 is on our roadmap. Planning is already underway for how adoption of the latest standard will proceed.
PCI DSS version 3.1 certification requires disabling Transport Layer Security (TLS) 1.0. Currently, disabling TLS 1.0 is not an option for most App Service plans. However, if you use App Service Environment or are willing to migrate your workload to App Service Environment, you can get greater control of your environment. This involves disabling TLS 1.0 by contacting Azure Support. In the near future, we plan to make these settings accessible to users.
For more information, see Microsoft Azure App Service web app compliance with PCI Standard 3.0 and 3.1.


Sourced from FAQ


Please let us know if you have further questions.



· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

dobric avatar image
0 Votes"
dobric answered ·

In the provided url above following remark can be found:

PCI DSS version 3.1 certification requires disabling Transport Layer Security (TLS) 1.0. Currently, disabling TLS 1.0 is not an option for most App Service plans.

It is not clear if "most AppService plans" support PCI x.y. or not. AppService environment is different offering, which does support PCI 3.1.
However most people focus AppService. In this context, I it is not clear if, what and how exactly PCI can be achieved?

My suggestion is to provide here a bit more transparent and concrete answer related to AppService.



· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

mipapase avatar image
0 Votes"
mipapase answered ·

It's important to remember that your solution will not just involve App Service and you need to look at all of the services when attempting to map to compliance controls.

I would start at the Microsoft Trust Center. If you are part of a corporate security and compliance team, that site is your friend.

From there you can get to the PCI-DSS overview page, from which you can get to a number of resources, including the Attestations of Compliance for Azure Services.

The Azure PCI DSS Responsibility Matrix will help you identify what you are responsible for vs. what Microsoft is responsible for in establishing your controls. To help with some of the control mapping and enforcement, there is also an Azure Blueprint that you might be able to leverage.

Hope this helps.


· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.