Azure Security and Compliance Blueprint - PCI DSS-compliant Payment Processing environments
The Payment Processing for PCI DSS-Compliant Environments provides guidance for the deployment of a PCI DSS-compliant Platform-as-a-Service (PaaS) environment suitable for handling sensitive payment card data. It showcases a common reference architecture and is designed to simplify adoption of Microsoft Azure. This blueprint illustrates an end-to-end solution to meet the needs of organizations seeking a cloud-based approach to reducing the burden and cost of deployment.
This blueprint is designed to help meet the requirements of stringent Payment Card Industry Data Security Standards (PCI DSS 3.2) for the collection, storage, and retrieval of payment card data. It demonstrates the proper handling of credit card data (including card number, expiration, and verification data) in a secure, compliant multi-tier environment deployed as an end-to-end Azure-based PaaS solution. For more information about PCI DSS 3.2 requirements and this solution, see PCI DSS Requirements - High-Level Overview.
This blueprint is intended to serve as a foundation for customers to better understand the specific requirements, and should not be used as-is in a production environment. Deploying an application into this environment without modification is not sufficient to completely meet the requirements of a PCI DSS-compliant solution for a custom solution. Please note the following:
- This blueprint provides a baseline to help customers use Microsoft Azure in a PCI DSS-compliant manner.
- Achieving PCI DSS-compliance requires that an accredited Qualified Security Assessor (QSA) certify a production customer solution.
- Customers are responsible for conducting appropriate security and compliance reviews of any solution built using this foundational architecture, as requirements may vary based on the specifics of each customer’s implementation and geography.
For a quick overview of how this solution works, watch this video explaining and demonstrating its deployment.
The foundational architecture is comprised of the following components:
- Architectural diagram. The diagram shows the reference architecture used for the Contoso Webstore solution.
- Deployment templates. In this deployment, Azure Resource Manager templates are used to automatically deploy the components of the architecture into Microsoft Azure by specifying configuration parameters during setup.
- Automated deployment scripts. These scripts help deploy the end-to-end solution. The scripts consist of:
- A module installation and global administrator setup script is used to install and verify that required PowerShell modules and global administrator roles are configured correctly.
- An installation PowerShell script is used to deploy the end-to-end solution, provided via a .zip file and a .bacpac file that contain a pre-built demo web application with SQL database sample. content. The source code for this solution is available for review Blueprint code repository.
The blueprint addresses the use case below.
This scenario illustrates how a fictitious webstore moved their payment card processing to an Azure-based PaaS solution. The solution handles collection of basic user information including payment data. The solution does not process payments with this cardholder data; once the data is collected, customers are responsible for initiating and completing transactions with a payment processor. For more information, see the "Review and Guidance for Implementation".
A small webstore called Contoso Webstore is ready to move their payment system to the cloud. They have selected Microsoft Azure to host the process for purchasing and to allow a clerk to collect credit card payments from their customers.
The administrator is looking for a solution that can be quickly deployed to achieve his goals in for a cloud-born solution. He will use this proof-of-concept (POC) to discuss with his stakeholders how Azure can be used to collect, store, and retrieve payment card data while complying with stringent Payment Card Industry Data Security Standard (PCI DSS) requirements.
You will be responsible for conducting appropriate security and compliance reviews of any solution built with the architecture used by this POC, as requirements may vary based on the specifics of your implementation and geography. PCI DSS requires that you work directly with an accredited Qualified Security Assessor to certify your production-ready solution.
Elements of the foundational architecture
The foundational architecture is designed with the following fictitious elements:
User roles used to illustrate the use case, and provide insight into the user interface.
Role: Site and subscription admin
- The admin account cannot read credit card information unmasked. All actions are logged.
- The admin account cannot manage or log into SQL Database.
- The admin account can manage Active Directory and subscription.
Role: SQL administrator
- The sqladmin account cannot view unfiltered credit card information. All actions are logged.
- The sqladmin account can manage SQL database.
Edna Benson is the receptionist and business manager. She is responsible for ensuring that customer information is accurate and billing is completed. Edna is the user logged in for all interactions with the Contoso Webstore demo website. Edna has the following rights:
- Edna can create and read customer information
- Edna can modify customer information.
- Edna can overwrite or replace credit card number, expiration, and CVV information.
Contoso Webstore - Estimated pricing
This foundational architecture and example web application have a monthly fee structure and a usage cost per hour which must be considered when sizing the solution. These costs can be estimated using the Azure costing calculator. As of September 2017, the estimated monthly cost for this solution is ~$2500 this includes a $1000/mo usage charge for ASE v2. These costs will vary based on the usage amount and are subject to change. It is incumbent on the customer to calculate their estimated monthly costs at the time of deployment for a more accurate estimate.
This solution used the following Azure services. Details of the deployment architecture are located in the Deployment Architecture section.
- Application Gateway
- Azure Active Directory
- App Service Environment v2
- OMS Log Analytics
- Azure Key Vault
- Network Security Groups
- Azure SQL DB
- Azure Load Balancer
- Application Insights
- Azure Security Center
- Azure Web App
- Azure Automation
- Azure Automation Runbooks
- Azure DNS
- Azure Virtual Network
- Azure Virtual Machine
- Azure Resource Group and Policies
- Azure Blob Storage
- Azure Active Directory role-based access control (RBAC)
The following section details the development and implementation elements.
Network segmentation and security
The foundational architecture reduces the risk of security vulnerabilities using an Application Gateway with web application firewall (WAF), and the OWASP ruleset enabled. Additional capabilities include:
- Enable SSL Offload
- Disable TLS v1.0 and v1.1
- Web application firewall (WAF mode)
- Prevention mode with OWASP 3.0 ruleset
- Enable diagnostics logging
- Custom health probes
- Azure Security Center and Azure Advisor provide additional protection and notifications. Azure Security Center also provides a reputation system.
The foundational architecture defines a private virtual network with an address space of 10.0.0.0/16.
Network security groups
Each of the network tiers has a dedicated network security group (NSG):
- A DMZ network security group for firewall and Application Gateway WAF
- An NSG for management jumpbox (bastion host)
- An NSG for the app service environment
Each of the NSGs have specific ports and protocols opened for the secure and correct operation of the solution. For more information, see PCI Guidance - Network Security Groups.
Each of the NSGs have specific ports and protocols opened for the secure and correct working of the solution. In addition, the following configurations are enabled for each NSG:
- Enabled diagnostic logs and events are stored in storage account
- Connected OMS Log Analytics to the NSG's diagnostics
Ensure each subnet is associated with its corresponding NSG.
Custom domain SSL certificates
HTTPS traffic is enabled using a custom domain SSL certificate.
Data at rest
The architecture protects data at rest by using encryption, database auditing, and other measures.
Azure SQL Database
The Azure SQL Database instance uses the following database security measures:
- AD Authentication and Authorization
- SQL database auditing
- Transparent Data Encryption
- Firewall rules, allowing for ASE worker pools and client IP management
- SQL Threat Detection
- Always Encrypted columns
- SQL Database dynamic data masking, using the post-deployment PowerShell script
Logging and auditing
Operations Management Suite (OMS) can provide the Contoso Webstore with extensive logging of all system and user activity, include cardholder data logging. Changes can be reviewed and verified for accuracy.
- Activity Logs: Activity logs provide insight into the operations that were performed on resources in your subscription.
- Diagnostic Logs: Diagnostic logs are all logs emitted by every resource. These logs include Windows event system logs, Azure Blob storage, tables, and queue logs.
- Firewall Logs: The Application Gateway provides full diagnostic and access logs. Firewall logs are available for Application Gateway resources that have WAF enabled.
- Log Archiving: All diagnostic logs are configured to write to a centralized and encrypted Azure storage account for archival with a defined retention period (2 days). Logs are then connected to Azure Log Analytics for processing, storing, and dashboarding. Log Analytics is an OMS service that helps collect and analyze data generated by resources in your cloud and on-premises environments.
Encryption and secrets management
The Contoso Webstore encrypts all credit card data, and uses Azure Key Vault to manage keys, preventing retrieval of CHD.
- Azure Key Vault helps safeguard cryptographic keys and secrets used by cloud applications and services.
- SQL TDE is used to encrypt all customer cardholder data, expiry date, and CVV.
- Data is stored on disk using Azure Disk Encryption and BitLocker.
The following technologies provide identity management capabilities in the Azure environment.
- Azure Active Directory (Azure AD) is the Microsoft's multi-tenant cloud-based directory and identity management service. All users for the solution were created in Azure Active Directory, including users accessing the SQL Database.
- Authentication to the application is performed using Azure AD. For more information, see Integrating applications with Azure Active Directory. Additionally, the database column encryption also uses Azure AD to authenticate the application to Azure SQL Database. For more information, see Always Encrypted: Protect sensitive data in SQL Database.
- Azure Active Directory Identity Protection detects potential vulnerabilities affecting your organization’s identities, configures automated responses to detected suspicious actions related to your organization’s identities, and investigates suspicious incidents and takes appropriate action to resolve them.
- Azure Role-based Access Control (RBAC) enables precisely focused access management for Azure. Subscription access is limited to the subscription administrator, and Azure Key Vault access is restricted to all users.
To learn more about using the security features of Azure SQL Database, see the Contoso Clinic Demo Application sample.
Web and compute resources
App Service Environment
Azure App Service Environment (ASE v2) is an App Service feature that provides a fully isolated and dedicated environment for securely running App Service apps at high scale. it is a Premium service plan used by this foundational architecture to enable PCI DSS compliance.
ASEs are isolated to running only a single customer's applications, and are always deployed into a virtual network. Customers have fine-grained control over both inbound and outbound application network traffic, and applications can establish high-speed secure connections over virtual networks to on-premises corporate resources.
Use of ASEs for this architecture allowed for the following controls/configurations:
- Host inside a secured Virtual Network and Network security rules
- ASE configured with Self-signed ILB certificate for HTTPS communication
- Internal Load Balancing mode (mode 3)
- Disable TLS 1.0 - a TLS protocol which is deprecated from a PCI DSS standpoint
- Change TLS Cipher
- Control inbound traffic N/W ports
- WAF – Restrict Data
- Allow SQL Database traffic
Jumpbox (bastion host)
As the App Service Environment is secured and locked down, there needs to be a mechanism to allow for any DevOps releases or changes that might be necessary, such as the ability to monitor the web app using Kudu. Virtual machine is secured behind NAT Load Balancer which allows you to connect VM on a port other than TCP 3389.
A virtual machine was created as a jumpbox (bastion host) with the following configurations:
- Antimalware extension
- OMS extension
- Azure Diagnostics extension
- Azure Disk Encryption using Azure Key Vault (respects Azure Government, PCI DSS, HIPAA and other requirements).
- An auto-shutdown policy to reduce consumption of virtual machine resources when not in use.
Security and malware protection
Azure Security Center provides a centralized view of the security state of all your Azure resources. At a glance, you can verify that the appropriate security controls are in place and configured correctly, and you can quickly identify any resources that require attention.
Azure Advisor is a personalized cloud consultant that helps you follow best practices to optimize your Azure deployments. It analyzes your resource configuration and usage telemetry and then recommends solutions that can help you improve the cost effectiveness, performance, high availability, and security of your Azure resources.
Microsoft Antimalware for Azure Cloud Services and Virtual Machines is real-time protection capability that helps identify and remove viruses, spyware, and other malicious software, with configurable alerts when known malicious or unwanted software attempts to install itself or run on your Azure systems.
Use Application Insights to gain actionable insights through application performance management and instant analytics.
Log Analytics is a service in Operations Management Suite (OMS) that helps you collect and analyze data generated by resources in your cloud and on-premises environments.
These additional OMS solutions should be considered and configured:
- Activity Log Analytics
- Azure Networking Analytics
- Azure SQL Analytics
- Change Tracking
- Key Vault Analytics
- Service Map
- Security and Audit
- Update Management
Security Center integration
Default deployment is intended to provide a baseline of security center recommendations, indicating a healthy and secure configuration state. You can enable data collection from the Azure Security Center. For more information, see Azure Security Center - Getting Started.
Deploy the solution
The components for deploying this solution are available in the PCI Blueprint code repository. The deployment of the foundational architecture requires several steps executed via Microsoft PowerShell v5. To connect to the website, you must provide a custom domain name (such as contoso.com). This is specified using the
-customHostName switch in step 2. For more information, see Buy a custom domain name for Azure Web Apps. A custom domain name is not required to successfully deploy and run the solution, but you will be unable to connect to the website for demonstration purposes.
The scripts add domain users to the Azure AD tenant that you specify. We recommend creating a new Azure AD tenant to use as a test.
If you encounter any issues during the deployment, see FAQ and troubleshooting.
It is highly recommended that a clean installation of PowerShell be used to deploy the solution. Alternatively, verify that you are using the latest modules required for proper execution of the installation scripts. In this example, we log into the jumpbox (bastion host) and execute the following commands. Note that this enables the custom domain command.
Install required modules and set up the administrator roles correctly.
.\0-Setup-AdministrativeAccountAndPermission.ps1 -azureADDomainName contosowebstore.com -tenantId XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX -subscriptionId XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX -configureGlobalAdmin -installModules
For detailed usage instructions, see Script Instructions - Setup Administrative Account and Permission.
Install the solution-update-management
.\1-DeployAndConfigureAzureResources.ps1 -resourceGroupName contosowebstore -globalAdminUserName adminXX@contosowebstore.com -globalAdminPassword ************** -azureADDomainName contosowebstore.com -subscriptionID XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX -suffix PCIcontosowebstore -customHostName contosowebstore.com -sqlTDAlertEmailAddress email@example.com -enableSSL -enableADDomainPasswordPolicy
For detailed usage instructions, see Script Instructions - Deploy and Configure Azure Resources.
OMS logging and monitoring. Once the solution is deployed, a Microsoft Operations Management Suite (OMS) workspace can be opened, and the sample templates provided in the solution repository can be used to illustrate how a monitoring dashboard can be configured. For the sample OMS templates refer to the omsDashboards folder. Note that data must be collected in OMS for templates to deploy correctly. This can take up to an hour or more depending on site activity.
When setting up your OMS logging, consider including these resources:
A data flow diagram (DFD) and sample threat model for the Contoso Webstore Blueprint Threat Model.
Customer responsibility matrix
Customers are responsible for retaining a copy of the Responsibility Summary Matrix, which outlines the PCI DSS requirements that are the responsibility of the customer and those which are the responsibility of Microsoft Azure.
PCI Compliance Review
The solution was reviewed by Coalfire systems, Inc. (PCI-DSS Qualified Security Assessors). The PCI Compliance Review and guidance for implementation provides an auditor's review of the solution, and considerations for transforming the blueprint to a production-ready deployment.
Disclaimer and acknowledgements
- This document is for informational purposes only. MICROSOFT AND AVYAN MAKE NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. This document is provided “as-is.” Information and views expressed in this document, including URL and other Internet website references, may change without notice. Customers reading this document bear the risk of using it.
- This document does not provide customers with any legal rights to any intellectual property in any Microsoft or Avyan product or solutions.
Customers may copy and use this document for internal reference purposes.
Certain recommendations in this paper may result in increased data, network, or compute resource usage in Azure, and may increase a customer’s Azure license or subscription costs.
The solution in this document is intended as a foundational architecture and must not be used as-is for production purposes. Achieving PCI compliance requires that customers consult with their Qualified Security Assessor.
- All customer names, transaction records, and any related data on this page are fictitious, created for the purpose of this foundational architecture and provided for illustration only. No real association or connection is intended, and none should be inferred.
- This solution was developed jointly by Microsoft and Avyan Consulting, and is available under the MIT License.
- This solution has been reviewed by Coalfire, Microsoft’s PCI-DSS auditor. The PCI Compliance Review provides an independent, third-party review of the solution, and components that need to be addressed.
- Frank Simorjay (Microsoft)
- Gururaj Pandurangi (Avyan Consulting)