What the New Azure PCI Matrix Means for Finance

In March of this year, a Coalfire assessment found Microsoft Azure to be a compliant Level 1 Service Provider with PCI DSS 3.1, and this included both customer-facing and internal infrastructure services, especially those using payment gateway services. The results were released by the Azure Compliance team in a shared responsibility model, or matrix, in order to better illustrate PCI compliance responsibilities for Microsoft Azure and the customers of Microsoft Azure cloud services, particularly those in the financial industry that fall into the Level 1 Service Provider category. What does this mean for the financial sector?

PCI Level 1 Compliance

Now that Azure Cloud Services is armed with a PCI Compliance Level 1 compliance level, those using Azure are covered in terms of PCI compliance regardless of the level of credit card transactions a financial firm or bank handles. This of course comes with a catch: Those that meet Level 1 must undergo yearly on-site reviews via an internal audit while having their network scanned by an approved third party. In working with a PCI compliant host provider like Microsoft, the PCI audit and maintaining the required levels of information security become much easier.

This is particularly beneficial for those that want to develop a cardholder or card processing service. A financial institution can leverage Azure’s validation along with their own internal security controls to reduce the costs and overall IT security efforts required in gaining PCI certification. Sounds great, but again, there is a catch.

Shared and Shared Alike

It is important to note that Azure’s PCI compliance status does not mean that a financial organization is automatically PCI compliant for the services they build or host on the Azure Cloud platform. Any financial institution that utilizes Azure is responsible for their own compliance within the specified PCI DSS requirements. This means that a financial house or bank is free to build applications within the Azure Cloud, but just building the application and hosting it in Azure is not a compliance guarantee.

It’s not all that bad, though, as the key word to note in the new Azure PCI Matrix is “shared”. While Microsoft Azure is certified as a Level 1 Service Provider, the effectiveness of the matrix for those in finance using Azure Cloud Services with be dependent on how the services are leveraged and implemented by the respective Azure customer. When a financial organization follows the guidance of the Azure PCI Matrix, the matrix specifies the areas of responsibility for each PCI requirement, as well as defining who (Azure, customer, or shared) is responsible for each requirement.

The requirements in the PCI Matrix are very well laid out and easy to understand, and provide recommendations for each requirement:

  • Control Ownership
  • Guidance notes
  • Implementation details
  • Testing procedures

In the limited amount of time that my clients have had to work with and implement the PCI Matrix, I have found that the document makes a great outline to present to executives and project leadership. This is important in terms of gaining traction for any security initiative among a financial organization’s business stakeholders, especially considering that many of these stakeholders still subscribe to the notion that IT security is a not business issue or consider it a barrier to progress. In using the PCI Matrix to give a PCI compliance effort transparency and visibility, any PCI security initiative is much more likely to gain validation.  

My favorite piece of this matrix is in the well-defined testing procedures that come with each requirement. This is pure gold when applied to financial IT security runbooks, as it fits in perfectly with the vast majority QRadar configurations that Champion has setup and configured for its financial sector clients. So, the main takeaway here is that when a financial institution meshes the guidance and testing procedures within the PCI Matrix with their QRadar managed security policy, PCI compliance stress quickly becomes a thing of the past.

Enter The Matrix

The key benefit of this release for financial organizations utilizing payment gateway services on the Azure platform is in the PCI compliance roadmap, which provides those in the financial sector improved security posture in the public cloud with PCI DSS compliancy in mind. Champion’s expertise in serving financial institutions using hosted payment gateway services on the Azure platform makes implementing this matrix to managed cloud IT security policies an easy endeavor.


Understanding the New PCI Checklist for Windows 10 As a Financial Organization


N.Y. Department of Financial Services Makes Adjustments to their Cybersecurity Regulations


Erick Bacallao joined Champion Solutions Group in 2015 after a career of Software Development in Cuba at the National Cancer Care Institute of Cuba, followed by moving to the States with allAware.


Champion acquired allAware and its properties and Erick has utilized his extensive background and expertise in IT and Software Development to rise to VP of Product Development in less than 5 years. During this time, Erick has been involved with key projects that led to the launch of numerous products including CSP Boss, Inscape platform and 365 Productivity Insights.


Erick has a Bachelor of Science in Computer Science from the University of Havana. He won Gold Medals for Programming from the Ministry of Education in Cuba, and he is certainly still a Gold Medalist for Champion!


As President and CEO, Chris is responsible for the development of key strategic alliances and solution portfolio. He leads Champion’s go-to market and execution strategies for integrated offerings in the cloud, in security, and in digital infrastructure, always focusing on improving the customer experience and driving transformative business outcomes.


He also aligns key partner initiatives with company strategy and oversees corporate marketing and messaging to gain mindshare with customers and partners. It’s his vision and innovativeness that have catapulted Champion up the ranks to become a $100M+ organization—and one of the most respected solution providers in the industry.


Over the past two decades, Chris has also focused on mergers and acquisitions, as well as innovative product development. He is the original founder and an active member on the Board of Managed Maintenance, Inc., a SAAS provider and consulting firm that utilizes their award-winning One-View Portal to help the IT Channel and its customers manage their IT Maintenance.


Chris is also the original founder and chief strategist behind one of the original storage cloud providers, Storage Access / BluePoint. During the course of a few short years, he had raised $20M and took that company public on the Toronto Stock Exchange. It has since been acquired by Pomeroy.


In 2012, Chris led the acquisition of MessageOps and continued the product development and worldwide launch of its premier SAAS, 365 Command. Built on Microsoft Azure, 365 Command is currently managing over 1 million seats of Microsoft’s Office 365. After achieving this phenomenal milestone, 365 Command and other MessageOps O365 utilities were sold to Kaseya.


Over the past 35 years, Chris as worked tirelessly to not only advance his own career, but those of his employees. In addition to leading a $100M organization, Chris can also be found sitting with sales teams, cold calling and coaching, and validating why Champion has been listed on Best Places to Work by both South Florida Business Journal and Computerworld.

Ultimately, the success garnered by Champion Solutions Group, its associated companies, and their employees is due in large part to the leadership of its President and CEO. Perhaps the most fitting award Chris has earned is South Florida Business Journal’s 2013 Ultimate CEO Award.