What the New Azure PCI Matrix Means for Finance

In March of this year, a Coalfire assessment found Microsoft Azure to be a compliant Level 1 Service Provider with PCI DSS 3.1, and this included both customer-facing and internal infrastructure services, especially those using payment gateway services. The results were released by the Azure Compliance team in a shared responsibility model, or matrix, in order to better illustrate PCI compliance responsibilities for Microsoft Azure and the customers of Microsoft Azure cloud services, particularly those in the financial industry that fall into the Level 1 Service Provider category. What does this mean for the financial sector?

PCI Level 1 Compliance

Now that Azure Cloud Services is armed with a PCI Compliance Level 1 compliance level, those using Azure are covered in terms of PCI compliance regardless of the level of credit card transactions a financial firm or bank handles. This of course comes with a catch: Those that meet Level 1 must undergo yearly on-site reviews via an internal audit while having their network scanned by an approved third party. In working with a PCI compliant host provider like Microsoft, the PCI audit and maintaining the required levels of information security become much easier.

This is particularly beneficial for those that want to develop a cardholder or card processing service. A financial institution can leverage Azure’s validation along with their own internal security controls to reduce the costs and overall IT security efforts required in gaining PCI certification. Sounds great, but again, there is a catch.

Shared and Shared Alike

It is important to note that Azure’s PCI compliance status does not mean that a financial organization is automatically PCI compliant for the services they build or host on the Azure Cloud platform. Any financial institution that utilizes Azure is responsible for their own compliance within the specified PCI DSS requirements. This means that a financial house or bank is free to build applications within the Azure Cloud, but just building the application and hosting it in Azure is not a compliance guarantee.

It’s not all that bad, though, as the key word to note in the new Azure PCI Matrix is “shared”. While Microsoft Azure is certified as a Level 1 Service Provider, the effectiveness of the matrix for those in finance using Azure Cloud Services with be dependent on how the services are leveraged and implemented by the respective Azure customer. When a financial organization follows the guidance of the Azure PCI Matrix, the matrix specifies the areas of responsibility for each PCI requirement, as well as defining who (Azure, customer, or shared) is responsible for each requirement.

The requirements in the PCI Matrix are very well laid out and easy to understand, and provide recommendations for each requirement:

  • Control Ownership
  • Guidance notes
  • Implementation details
  • Testing procedures

In the limited amount of time that my clients have had to work with and implement the PCI Matrix, I have found that the document makes a great outline to present to executives and project leadership. This is important in terms of gaining traction for any security initiative among a financial organization’s business stakeholders, especially considering that many of these stakeholders still subscribe to the notion that IT security is a not business issue or consider it a barrier to progress. In using the PCI Matrix to give a PCI compliance effort transparency and visibility, any PCI security initiative is much more likely to gain validation.  

My favorite piece of this matrix is in the well-defined testing procedures that come with each requirement. This is pure gold when applied to financial IT security runbooks, as it fits in perfectly with the vast majority QRadar configurations that Champion has setup and configured for its financial sector clients. So, the main takeaway here is that when a financial institution meshes the guidance and testing procedures within the PCI Matrix with their QRadar managed security policy, PCI compliance stress quickly becomes a thing of the past.

Enter The Matrix

The key benefit of this release for financial organizations utilizing payment gateway services on the Azure platform is in the PCI compliance roadmap, which provides those in the financial sector improved security posture in the public cloud with PCI DSS compliancy in mind. Champion’s expertise in serving financial institutions using hosted payment gateway services on the Azure platform makes implementing this matrix to managed cloud IT security policies an easy endeavor.


Understanding the New PCI Checklist for Windows 10 As a Financial Organization


N.Y. Department of Financial Services Makes Adjustments to their Cybersecurity Regulations