问题
I want to host an application on Windows Azure that stores the credit card information of users who pay to buy subscriptions for a monthly fee. I'd just have to store the card data as securely as possible (encrypt, salt, update database password often, use HTTPS, and so on)
I believe I need to be PCI compliant to be able to store this kind of information. My question is can Azure allow me to achieve this? What are my options? Can an application on Azure process credit card payments?
回答1:
Windows Azure is not currently PCI compliant. (it may be in the future but not now - roadmap)
EDIT: Azure is now Level-1 compliant: windowsazure.com/en-us/support/trust-center/compliance
Windows Azure has a Trust Center page that explains all about its security and compliance (I suggest you read more about it here about what Azure has and hasn't) https://www.windowsazure.com/en-us/support/trust-center/
You have options where you can build Azure Applications but let a 3rd party (PCI compliant) handle the actual credit card processing for you, thus mitigating your risk of a non-PCI complaint application on Azure.
回答2:
As of today Azure is PCI DSS Level 1 compliant.
http://blogs.msdn.com/b/windowsazure/archive/2014/01/16/announcing-pci-dss-compliance-and-expanded-iso-certification-for-windows-azure-general-availability-of-windows-azure-hyper-v-recovery-manager-and-other-updates-to-windows-azure.aspx
https://www.windowsazure.com/en-us/support/trust-center/compliance/
My understanding of PCI Compliance means that you are now allowed to build applications on Azure and should be able to get them PCI certified as well. Just building an app and hosting it in Azure does not guarantee compliance.
回答3:
Now it is compliant. You can visit the Windows Asure compliance page for details and also download the Windows Azure Customer PCI Guide.
回答4:
It is compliant in broad terms. Try building an app using webapps and a DB that communicate to each other and not use the public IP space. Here are some issues in PCI-DSS.
1.2 Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment
1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.
1.3.3 Do not allow any direct connections inbound or outbound for traffic between the Internet and the cardholder data environment.
1.3.5 All traffic outbound from the cardholder data environment should be evaluated to ensure that it follows established, authorized rules. Connections should be inspected to restrict traffic to only authorized communications (for example by restricting source/destination addresses/ports, and/or blocking of content).
回答5:
The Windows Azure PCI Attestation of Compliance (AoC) does not list any services that customers can actually go out and buy. The AoC certifies the following services:
Azure Core Services, Azure Platform Services, Azure Directory Services, Data Processing, Infrastructure, Operations.
...but these services (at least by name, anyway), cannot be "bought".
I've put together the following blog article, as to why a QSA such as myself with several years PCI DSS auditing experience, has an issue with Azure:
https://www.2-sec.com/2015/11/19/is-microsoft-azure-pci-dss-compliant-lessons-in-due-diligence/
Tim Holman, QSA, 2-sec...
来源:https://stackoverflow.com/questions/11167152/hosting-a-pci-compliant-app-on-azure