Security, compliance, and privacy


The following issues make security and compliance a unique challenge for the retail industry:

  • A multitude of systems has always been in the retail space, from POS to CRM and other improvised systems across a wide network of stores, production centers, fulfillment centers, and corporations. Additionally, extensive apps, devices, and users have amassed across and outside of the corporate network. As the organizational barriers blur between who's in the network and who's out of it, organizations continue to struggle managing identities for their employees and external partners, suppliers, distributors, and even consumers, customers, or citizens.

  • Retailers are more vulnerable to cyber attacks, especially identity and software supply chain attacks. Increasingly, attacks and leaks are coming from within (source: National Retail Federation). The phrase "supply chain" in this context has a different meaning than the commonly understood meaning in retail that's related to logistics and transportation. Software supply chain security is primarily about the security of software code, which is traced back to its original sources and used by an entity and its external service providers throughout the full development and deployment life cycle.

  • Consumer privacy is imperative, and it impacts a brand's reputation and value when it isn't protected. However, only 22 percent of retailers have optimally integrated a privacy plan into their business strategy (source: Deloitte).

  • Increasing compliance mandates have been established across the globe that pertain to customer privacy. Nearly half of US states are developing data policy legislation, meaning that a patchwork of law will be established, making compliance confusing and complex to manage.

Security, identity, and threat protection

Microsoft helps you protect against the latest threats with intelligent tools to prevent attacks and react quickly to security events.

Identity and access

Identity and access features provide:

  • Benefits of a rich set of security capabilities from Microsoft Azure Active Directory (Azure AD), including multifactor authentication and fine-grained Conditional Access policies.

  • The ability to create access policies and use multifactor authentication based on specific retail personas, such as cashiers, managers, HR, and more.

  • Microsoft's principle of Zero Standing Access (ZSA) to customer data. You can use Customer Lockbox to approve or reject customer data access requests in the exceptional situation where such access is needed.


Encryption features help you:

  • Increase compliance and protect sensitive data with customer-managed keys (CMK).

  • Use Azure private link and network isolation to help ensure private access to online services, and protect connectivity with TLS 1.2 Encryption in Transit.

  • Use endpoint encryptions, based on devices and security needs, to accommodate a complex retail ecosystem.

Threat protection

Threat protection provides you with the following benefits:

  • Microsoft Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.

  • Microsoft services have undergone external penetration tests, and we recommend that customers also validate by performing independent penetration tests to keep their environment secure.

Regulatory compliance

Microsoft offers integrated compliance tools that are designed for retail.

Diagram showing Regulatory compliance. Take advantage of integrated compliance tools.

These compliance tools include:

  • Regulatory compliance checklists for different regions, countries, and states

  • In-region data storage and multi-geo capabilities

  • WORM storage, surveillance, and data compliance

  • eDiscovery, investigations support, and audit logging

  • Payment Card Industry compliance (PCI DSS)

  • Information barriers

Partner solutions compliance certification

The ISO 27001 and SSAE 18 SOC 2 partner certifications will accelerate your risk assessment and ensure end-to-end compliance coverage for Microsoft Cloud for Retail.

  • Partner apps are extensively validated for application security through external penetration tests, application code security analysis, and checking for common application vulnerabilities.

  • Microsoft's Zero Standing Access (ZSA) policy for partners, enforcement of multifactor authentication, and full audit logging will help minimize and secure partner access to your environment and will provide you with full transparency over such access.

  • Partner data security and privacy commitments include in-region data storage, data encryption in transit and at rest, presence of data retention and disposal policies, and validation of alignment against external regulations.

  • Where applicable, Microsoft reviews partners' operational security processes and infrastructure security. This review includes checks for the presence of anti-malware and firewalls. It also includes validation of change, development, and other operational processes for the presence of adequate security and compliance controls.

  • Contractual commitments, such as unrestricted rights of audit by customer and regulator and transparency over sub processors, are extended to these partners.