Complying with PCI DSS 3.2 in the Office 365 Space is a Must for Financial Organizations

As Office 365 continues to gain ground in the financial industry, it is important know what PCI certification requirements a financial business must meet when implementing and maintaining a production Office 365 service. This includes knowing what information can safely be passed through an Office 365 environment, as well as how to address day-to-day security functions, such as user access management and data encryption.

Office 365 Is PCI Compliant – Sort Of

Let’s start with a caveat. Office 365 has been certified as being PCI DSS compliant, but only on a Level One (PCI-DSS version 1.2) basis. What this means for financial organizations, as well as for any organization subject to PCI regulations, is that Office 365 is not suitable for transactional processing, sending or storing of data that falls under PCI governance. Only with the appropriate security controls in place can financial organizations use such data in typical business activities.

Using Office 365 in a PCI World

While it may appear that using Office 365 in a financial organization will be a complicated task to complete, the fact is that with some forward thinking and due diligence, any organization can successfully implement Office while remaining fully PCI compliant.

Simply put, for a financial organization to prove PCI compliance in an audit, it must be able to show Office 365 meets certain data and user activity auditing requirements. This must include the following:

  • User permissions tracking, so an audit trail can be established to identify those with excessive or outdated data permission levels
  • Data monitoring for changes or unauthorized access by either internal or external means
  • Being able to show how files and information are being transmitted or shared, including the identification of “ghost IT” efforts to get around established data permissions

These are but a sample of the PCI challenges a financial organization faces in using Office 365. But this weight does not need to fall squarely on your shoulders. Champion has the expertise to minimize security and regulatory threats within an Office 365 environment for financial organizations already using or planning to use Office 365.

How We Help With PCI Compliant Office 365 Initiatives

We have developed a four point checklist that is geared specifically for PCI-regulated businesses using Office 365. The components in our checklist ensures that your organization minimizes potential threats while remaining transparent from an auditing perspective, keeping your data safe and compliant.

  1. Data storage parameters for access permissions and monitoring. A vast portion of this effort revolves around knowing where your data is stored and how it is used. We start this by making sure that your Office 365 environment and cardholder data environment (CDE) are outside of each other to ensure best practice security posturing. We then enable a fully encompassing data monitoring and tracking system so that you know what is being accessed, where it is being accessed from and by whom.
  2. Established user permissions audit controls. In doing so, users are not over-provisioned with data accesses, and ensures that established accesses change when a user’s role in the company changes or when the user leaves the organization.
  3. Data usage visibility when discovering, mediating and tracking potential malicious activity. We recommend using a solution that provides user behavior analytics (UBA) to achieve a concise and complete look into stored data. Using this, a business will have an easy-to-read report which snapshots data usage. Meanwhile, creating an alerting system which detects out-of-band data behaviors will offer organizations granular control over data security management and threat identification.
  4. Data transmissions and tracking of sent and presented data. This is especially important for direct customer-facing institutions, where account data needs to be visible and convenient for the customer, but secure on the backend.

In establishing these four components, a financial organization using Office 365 moves from a PCI compliance gray area to all green.

Enlisting Knowledgeable Help

Champion is geared to walk your business through this process, thanks to our partnership with Microsoft. We have subject matter experts on hand to engage financial organizations in developing and improving Office 365 efforts in a way that leaves your business in a data security-hardened and PCI compliant state.


Securing Public and Private Cloud Application Services to Close Attack Launching Points


N.Y. Department of Financial Services Makes Adjustments to their Cybersecurity Regulations