Complying with PCI DSS 3.2 in the Office 365 Space is a Must for Financial Organizations

As Office 365 continues to gain ground in the financial industry, it is important know what PCI certification requirements a financial business must meet when implementing and maintaining a production Office 365 service. This includes knowing what information can safely be passed through an Office 365 environment, as well as how to address day-to-day security functions, such as user access management and data encryption.

Office 365 Is PCI Compliant – Sort Of

Let’s start with a caveat. Office 365 has been certified as being PCI DSS compliant, but only on a Level One (PCI-DSS version 1.2) basis. What this means for financial organizations, as well as for any organization subject to PCI regulations, is that Office 365 is not suitable for transactional processing, sending or storing of data that falls under PCI governance. Only with the appropriate security controls in place can financial organizations use such data in typical business activities.

Using Office 365 in a PCI World

While it may appear that using Office 365 in a financial organization will be a complicated task to complete, the fact is that with some forward thinking and due diligence, any organization can successfully implement Office while remaining fully PCI compliant.

Simply put, for a financial organization to prove PCI compliance in an audit, it must be able to show Office 365 meets certain data and user activity auditing requirements. This must include the following:

  • User permissions tracking, so an audit trail can be established to identify those with excessive or outdated data permission levels
  • Data monitoring for changes or unauthorized access by either internal or external means
  • Being able to show how files and information are being transmitted or shared, including the identification of “ghost IT” efforts to get around established data permissions

These are but a sample of the PCI challenges a financial organization faces in using Office 365. But this weight does not need to fall squarely on your shoulders. Champion has the expertise to minimize security and regulatory threats within an Office 365 environment for financial organizations already using or planning to use Office 365.

How We Help With PCI Compliant Office 365 Initiatives

We have developed a four point checklist that is geared specifically for PCI-regulated businesses using Office 365. The components in our checklist ensures that your organization minimizes potential threats while remaining transparent from an auditing perspective, keeping your data safe and compliant.

  1. Data storage parameters for access permissions and monitoring. A vast portion of this effort revolves around knowing where your data is stored and how it is used. We start this by making sure that your Office 365 environment and cardholder data environment (CDE) are outside of each other to ensure best practice security posturing. We then enable a fully encompassing data monitoring and tracking system so that you know what is being accessed, where it is being accessed from and by whom.
  2. Established user permissions audit controls. In doing so, users are not over-provisioned with data accesses, and ensures that established accesses change when a user’s role in the company changes or when the user leaves the organization.
  3. Data usage visibility when discovering, mediating and tracking potential malicious activity. We recommend using a solution that provides user behavior analytics (UBA) to achieve a concise and complete look into stored data. Using this, a business will have an easy-to-read report which snapshots data usage. Meanwhile, creating an alerting system which detects out-of-band data behaviors will offer organizations granular control over data security management and threat identification.
  4. Data transmissions and tracking of sent and presented data. This is especially important for direct customer-facing institutions, where account data needs to be visible and convenient for the customer, but secure on the backend.

In establishing these four components, a financial organization using Office 365 moves from a PCI compliance gray area to all green.

Enlisting Knowledgeable Help

Champion is geared to walk your business through this process, thanks to our partnership with Microsoft. We have subject matter experts on hand to engage financial organizations in developing and improving Office 365 efforts in a way that leaves your business in a data security-hardened and PCI compliant state.


Securing Public and Private Cloud Application Services to Close Attack Launching Points


N.Y. Department of Financial Services Makes Adjustments to their Cybersecurity Regulations


Erick Bacallao joined Champion Solutions Group in 2015 after a career of Software Development in Cuba at the National Cancer Care Institute of Cuba, followed by moving to the States with allAware.


Champion acquired allAware and its properties and Erick has utilized his extensive background and expertise in IT and Software Development to rise to VP of Product Development in less than 5 years. During this time, Erick has been involved with key projects that led to the launch of numerous products including CSP Boss, Inscape platform and 365 Productivity Insights.


Erick has a Bachelor of Science in Computer Science from the University of Havana. He won Gold Medals for Programming from the Ministry of Education in Cuba, and he is certainly still a Gold Medalist for Champion!


As President and CEO, Chris is responsible for the development of key strategic alliances and solution portfolio. He leads Champion’s go-to market and execution strategies for integrated offerings in the cloud, in security, and in digital infrastructure, always focusing on improving the customer experience and driving transformative business outcomes.


He also aligns key partner initiatives with company strategy and oversees corporate marketing and messaging to gain mindshare with customers and partners. It’s his vision and innovativeness that have catapulted Champion up the ranks to become a $100M+ organization—and one of the most respected solution providers in the industry.


Over the past two decades, Chris has also focused on mergers and acquisitions, as well as innovative product development. He is the original founder and an active member on the Board of Managed Maintenance, Inc., a SAAS provider and consulting firm that utilizes their award-winning One-View Portal to help the IT Channel and its customers manage their IT Maintenance.


Chris is also the original founder and chief strategist behind one of the original storage cloud providers, Storage Access / BluePoint. During the course of a few short years, he had raised $20M and took that company public on the Toronto Stock Exchange. It has since been acquired by Pomeroy.


In 2012, Chris led the acquisition of MessageOps and continued the product development and worldwide launch of its premier SAAS, 365 Command. Built on Microsoft Azure, 365 Command is currently managing over 1 million seats of Microsoft’s Office 365. After achieving this phenomenal milestone, 365 Command and other MessageOps O365 utilities were sold to Kaseya.


Over the past 35 years, Chris as worked tirelessly to not only advance his own career, but those of his employees. In addition to leading a $100M organization, Chris can also be found sitting with sales teams, cold calling and coaching, and validating why Champion has been listed on Best Places to Work by both South Florida Business Journal and Computerworld.

Ultimately, the success garnered by Champion Solutions Group, its associated companies, and their employees is due in large part to the leadership of its President and CEO. Perhaps the most fitting award Chris has earned is South Florida Business Journal’s 2013 Ultimate CEO Award.