Microsoft Azure 2020 PCI DSS Requirements Responsibility Matrix

2020 Microsoft Azure PCI DSS Requirem
Introduction
Schellman conducted an assessment and found Microsoft Azure to be compliant with PCI DSS 3.2.1 as of March 5,
compliance responsibilities for Microsoft Azure and the customers of Microsoft Azure services. As part of the asses
infrastructure services.
Overview
Microsoft Azure offers its customers Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) solutions, wh
offerings include physical plants and data center facilities, networking firewalls/security, and servers and storage. P
database management, and business analytics.
Customer facing services including AI + Machine Learning, Analytics, Compute, Containers, Databases, Developer T
Governance, Media, Networking, Security, Storage, Web, Windows Virtual Desktop, and Microsoft Online Services
Azure internal infrastructure services. For a complete list of internal infrastructure services included within the asse
Compliance.
Responsibility
Customers of Microsoft Azure are ultimately responsible for their own PCI DSS compliance. The following tabs desc
shared by both to achieve PCI DSS compliance. In all assessments, proper scoping is key to success. For cloud deplo
this Responsibility Summary will aid customers in planning ahead for a successful assessment.
As a Level 1 Service Provider, Microsoft Azure allows for its customers to satisfy specific PCI DSS requirements cited
dependent on which Microsoft Azure services are being leveraged and how they are being implemented by the cus
Most requirements, however, require an understanding of the distribution of responsibilities between Microsoft A
requirements are fully the responsibility of Microsoft Azure customers to implement to meet PCI DSS compliance.
In general, responsibilities can be understood as follows:

IaaS instances: very little difference from traditional self-hosted servers, with Microsoft Azure providing the datace
PaaS services: given the large variety of ways customers can use PaaS services, one useful heuristic is: "what does
manner?"
Attestation of Compliance
Microsoft Azure’s 2020 PCI DSS 3.2.1 Attestation of Compliance can be downloaded for customer use at https://ser
Confidential – This document is intended only for the use of Microsoft Azur
DSS Requirement Responsibility Matrix
th PCI DSS 3.2.1 as of March 5, 2020. This responsibility matrix has been created to illustrate and clarify the PCI
re services. As part of the assessment Schellman analyzed an array of both customer-facing and internal
as a Service (PaaS) solutions, which its customers may use to store, process, or transmit cardholder data. IaaS
urity, and servers and storage. PaaS offerings include IaaS offerings plus operating systems, development tools,
tainers, Databases, Developer Tools, DevOps, Identity, Integration, Internet of Things, Management and
, and Microsoft Online Services were included within the assessment. Additionally, Schellman assessed Microsoft
services included within the assessment, please refer to Microsoft Azure’s 2020 PCI DSS 3.2.1 Attestation of
pliance. The following tabs describe the various responsibilities of Microsoft Azure, its customers, and those
key to success. For cloud deployments, reading the PCI requirements to understand their intent, and correlating
ssessment.
cific PCI DSS requirements cited herein through usage of its Attestation of Compliance. This reliance is
e being implemented by the customer.
nsibilities between Microsoft Azure and its customers to fully meet PCI DSS compliance. In addition, some
nt to meet PCI DSS compliance.
osoft Azure providing the datacenter networking compliance.

useful heuristic is: "what does the customer control/configure?" and "how are those managed in a compliant
d for customer use at https://servicetrust.microsoft.com/

ly for the use of Microsoft Azure customers and should not be distributed.
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Firewalls are devices that control computer traffic allowed between an entity’s networks (internal) and untrusted networks (external), as well as traffic into and out of more sensitive areas within an entity’s internal trusted networks. The cardholder data environment is an example of a more sensitive area within an entity’s trusted network.
A firewall examines all network traffic and blocks those transmissions that do not meet the specified security criteria.
All systems must be protected from unauthorized access from untrusted networks, whether entering the system via the Internet as e-commerce, employee Internet access through desktop browsers, employee e-mail access, dedicated connections such as business-to-business connections, via wireless networks, or via other sources. Often, seemingly
insignificant paths to and from untrusted networks can provide unprotected pathways into key systems. Firewalls are a key protection mechanism for any computer network.
Other system components may provide firewall functionality, as long as they meet the minimum requirements for firewalls as defined in Requirement 1. Where other system components are used within the cardholder data environment to provide firewall functionality, these devices must be included within the scope and assessment of Requirement 1.
Control Ownership Implementation Details

PCI DSS Requirements Testing Procedures Guidance
Microsoft Azure Only Customer Only Shared Microsoft Azure Customer -- PaaS Services Customer -- IaaS instances
1.1 Establish and implement firewall and router 1.1 Inspect the firewall and router Firewalls and routers are key components of Microsoft Azure is reponsible for network Customers are responsible for establishing Customers are responsible for establishing
configuration standards that include the following: configuration standards and other the architecture that controls entry to and configurations on PaaS VMs and system and implementing configuration standards and implementing firewall and router
documentation specified below and verify that exit from the network. These devices are settings that customers are not able to for use of Microsoft Azure networking configuration standards if those devices are
standards are complete and implemented as software or hardware devices that block alter. controls for customer subscriptions that are present in their CDE. Customers are also
follows: unwanted access and manage authorized accessible by the customer. responsible for configuration standards for
access into and out of the network. use of Microsoft Azure native networking
controls for customer subscriptions.
Configuration standards and procedures will
help to ensure that the organization’s first
line of defense in the protection of its data
remains strong.
1.1.1 A formal process for approving and testing 1.1.1.a Examine documented procedures to A documented and implemented process for Microsoft Azure is reponsible for network Customers are responsible for establishing Customers are responsible for establishing
all network connections and changes to the verify there is a formal process for testing and approving and testing all connections and configurations on PaaS VMs and system and implementing a process for testing and and implementing a process for testing and
firewall and router configurations approval of all: changes to the firewalls and routers will help settings that customers are not able to approving all network connections and approving all network connections and
- Network connections, and prevent security problems caused by alter. changes to their in-scope environment. changes to their in-scope environment.
- Changes to firewall and router configurations misconfiguration of the network, router, or
firewall.
1.1.1.b For a sample of network connections, Without formal approval and testing of
interview responsible personnel and examine changes, records of the changes might not be
records to verify that network connections updated, which could lead to inconsistencies
were approved and tested. between network documentation and the
actual configuration.
1.1.1.c Identify a sample of actual changes
made to firewall and router configurations,
compare to the change records, and interview
responsible personnel to verify the changes
were approved and tested.
1.1.2 Current network diagram that identifies all 1.1.2.a Examine diagram(s) and observe Network diagrams describe how networks Not applicable Customers are responsible for maintaining Customers are responsible for maintaining
connections between the cardholder data network configurations to verify that a current are configured, and identify the location of a current diagram that identifies all a current diagram that identifies all
environment and other networks, including any network diagram exists and that it documents all network devices. networks, network devices, and system networks, network devices, and system
wireless networks all connections to cardholder data, including Without current network diagrams, devices components, with all connections between components, with all connections between
any wireless networks. could be overlooked and be unknowingly left the CDE and other networks. the CDE and other networks.
out of the security controls implemented for
PCI DSS and thus be vulnerable to
compromise.
1.1.2.b Interview responsible personnel to
verify that the diagram is kept current.
1.1.3 Current diagram that shows all cardholder 1.1.3 Examine data-flow diagram and interview Cardholder data-flow diagrams identify the Not applicable Customers are responsible for Customers are responsible for
data flows across systems and networks personnel to verify the diagram: location of all cardholder data that is stored, diagramming all cardholder data flows diagramming all cardholder data flows
- Shows all cardholder data flows across processed, or transmitted within the across systems and networks. across systems and networks.
systems and networks. network.
- Is kept current and updated as needed upon Network and cardholder data-flow diagrams
changes to the environment. help an organization to understand and keep
track of the scope of their environment, by
showing how cardholder data flows across
networks and between individual systems
and devices.
1.1.4 Requirements for a firewall at each Internet 1.1.4.a Examine the firewall configuration Using a firewall on every Internet connection Microsoft Azure employs boundary The Customer has the responsibility to The Customer has the responsibility to
connection and between any demilitarized zone standards and verify that they include coming into (and out of) the network, and protection devices such as gateways, properly configure Microsoft Azure native properly configure Microsoft Azure native
(DMZ) and the internal network zone requirements for a firewall at each Internet between any DMZ and the internal network, network ACLs and application firewalls to networking controls within their in-scope networking controls within their in-scope
connection and between any DMZ and the allows the organization to monitor and control communications at external and environment. environment.
internal network zone. control access and minimizes the chances of internal boundaries at the platform level.
a malicious individual obtaining access to the The Customer then configures these to
1.1.4.b Verify that the current network internal network via an unprotected their specifications and requirements.
diagram is consistent with the firewall connection. Microsoft Azure filters communication
configuration standards. when coming into the platform.
1.1.4.c Observe network configurations to

verify that a firewall is in place at each Internet
connection and between any demilitarized
zone (DMZ) and the internal network zone, per
the documented configuration standards and
network diagrams.
1.1.5 Description of groups, roles, and 1.1.5.a Verify that firewall and router This description of roles and assignment of Not applicable Customers are responsible for establishing Customers are responsible for establishing
responsibilities for management of network configuration standards include a description responsibilities ensures that personnel are defined roles and responsibilities to defined roles and responsibilities to
components of groups, roles, and responsibilities for aware of who is responsible for the security oversee implementation of the information oversee implementation of the information
management of network components of all network components, and that those security policy across their in-scope security policy across their in-scope
assigned to manage components are aware environment. environment.
of their responsibilities. If roles and
responsibilities are not formally assigned,
devices could be left unmanaged.
1.1.5 Description of groups, roles, and This description of roles and assignment of Not applicable Customers are responsible for establishing Customers are responsible for establishing
responsibilities for management of network responsibilities ensures that personnel are defined roles and responsibilities to defined roles and responsibilities to
components aware of who is responsible for the security oversee implementation of the information oversee implementation of the information
of all network components, and that those security policy across their in-scope security policy across their in-scope
assigned to manage components are aware environment. environment.
of their responsibilities. If roles and
responsibilities are not formally assigned,
1.1.5.b Interview personnel responsible for devices could be left unmanaged.
management of network components to
confirm that roles and responsibilities are
assigned as documented.
1.1.6 Documentation of business justification and 1.1.6.a Verify that firewall and router Compromises often happen due to unused or Not applicable Customers are responsible for documenting Customers are responsible for documenting
approval for use of all services, protocols, and configuration standards include a documented insecure service and ports, since these often business justification for use of all services, business justification for use of all services,
ports allowed, including documentation of security list of all services, protocols and ports, have known vulnerabilities and many protocols, and ports allowed that are protocols, and ports allowed, including
features implemented for those protocols including business justification for each. organizations don’t patch vulnerabilities for configured by the customer. documentation of security features
considered to be insecure. the services, protocols, and ports they don't Documentation of security features implemented for those protocols
1.1.6.b Identify insecure services, protocols, use (even though the vulnerabilities are still implemented for those protocols considered to be insecure.
and ports allowed; and verify that security present). By clearly defining and considered to be insecure must also be
features are documented for each service. documenting the services, protocols, and included.
ports that are necessary for business,
1.1.6.c Examine firewall and router organizations can ensure that all other
configurations to verify that the documented services, protocols, and ports are disabled or
security features are implemented for each removed.
insecure service, protocol, and port. Approvals should be granted by personnel
independent of the personnel managing the
configuration.
If insecure services, protocols, or ports are
necessary for business, the risk posed by use
of these protocols should be clearly
understood and accepted by the
organization, the use of the protocol should
be justified, and the security features that
allow these protocols to be used securely
should be documented and implemented. If
these insecure services, protocols, or ports
are not necessary for business, they should
be disabled or removed
1.1.7 Requirement to review firewall and router 1.1.7.a Verify that firewall and router This review gives the organization an Not applicable Customers are responsible for establishing Customers are responsible for establishing
rule sets at least every six months configuration standards require review of opportunity at least every six months to a policy and conducting a review of all a policy and conducting a review of all
firewall and router rule sets at least every six
clean up any unneeded, outdated, or firewalls and Microsoft Azure network firewalls and Microsoft Azure native
months. incorrect rules, and ensure that all rule sets controls that are configured by the network controls at least semi-annually.
allow only authorized services and ports that customer at least semi-annually.
1.1.7.b Examine documentation relating to rule match the documented business
set reviews and interview responsible justifications.
personnel to verify that the rule sets are Organizations with a high volume of changes
reviewed at least every six months. to firewall and router rule sets may wish to
consider performing reviews more
frequently, to ensure that the rule sets
continue to meet the needs of the business.
1.2 Build firewall and router configurations that 1.2 Examine firewall and router configurations It is essential to install network protection Not applicable Customers are responsible for clearly Customers are responsible for clearly
restrict connections between untrusted networks and perform the following to verify that between the internal, trusted network and identifying and segmenting data networks identifying and segmenting data networks
and any system components in the cardholder connections are restricted between untrusted any untrusted network that is external to isolate the CDE. Access to the CDE to isolate the CDE. Access to the CDE
data environment. networks and system components in the and/or out of the entity’s ability to control or should only be allowed from specified IP should only be allowed from specified IP
cardholder data environment: manage. Failure to implement this measure addresses. addresses.
Note: An “untrusted network” is any network that correctly results in the entity being
is external to the networks belonging to the entity vulnerable to unauthorized access by
under review, and/or which is out of the entity's malicious individuals or software.
ability to control or manage. For firewall functionality to be effective, it
must be properly configured to control
and/or limit traffic into and out of the
entity’s network.
1.2.1 Restrict inbound and outbound traffic to that 1.2.1.a Examine firewall and router This requirement is intended to prevent Not applicable The Customer at the time of subscription is The Customer at the time of subscription is
which is necessary for the cardholder data configuration standards to verify that they malicious individuals from accessing the required to configure the Microsoft Azure required to configure the Microsoft Azure
environment, and specifically deny all other traffic. identify inbound and outbound traffic entity’s network via unauthorized IP application firewall in order to allow only application firewall in order to allow only
necessary for the cardholder data addresses or from using services, protocols, specified range of IP addresses to access specified range of IP addresses to access
environment. or ports in an unauthorized manner (for Microsoft Azure services. Customers are Microsoft Azure services. Customers are
1.2.1.b Examine firewall and router example, to send data they've obtained from responsible for verifying firewall and responsible for verifying firewall and
configurations to verify that inbound and within your network out to an untrusted Microsoft Azure native networking controls Microsoft Azure native networking controls
outbound traffic is limited to that which is server.) contain a deny-all at any CDE boundary. contain a deny-all at any CDE boundary.
necessary for the cardholder data
environment. Implementing a rule that denies all inbound
1.2.1.c Examine firewall and router and outbound traffic that is not specifically
configurations to verify that all other inbound needed helps to prevent inadvertent holes
and outbound traffic is specifically denied, for that would allow unintended and potentially
example by using an explicit “deny all” or an harmful traffic in or out.
implicit deny after allow statement.
1.2.2 Secure and synchronize router configuration 1.2.2.a Examine router configuration files to While the running (or active) router Not applicable Customers are responsible for Customers are responsible for
files. verify they are secured from unauthorized configuration files include the current, secure synchronizing configurations for Microsoft synchronizing configurations for Microsoft
access. settings, the start-up files (which are used Azure native network controls under their Azure native network controls and network
when routers are re-started or booted) must management. devices under their management.
be updated with the same secure settings to
ensure these settings are applied when the
start-up configuration is run.
Because they only run occasionally, start-up

configuration files are often forgotten and
are not updated. When a router re-starts and
loads a start-up configuration that has not
been updated with the same secure settings
as those in the running configuration, it may
result in weaker rules that allow malicious
individuals into the network.
1.2.2 Secure and synchronize router configuration While the running (or active) router Not applicable Customers are responsible for Customers are responsible for
files. configuration files include the current, secure synchronizing configurations for Microsoft synchronizing configurations for Microsoft
settings, the start-up files (which are used Azure native network controls under their Azure native network controls and network
when routers are re-started or booted) must management. devices under their management.
be updated with the same secure settings to
ensure these settings are applied when the
start-up configuration is run.
Because they only run occasionally, start-up

1.2.2.b Examine router configurations to verify configuration files are often forgotten and
they are synchronized—for example, the are not updated. When a router re-starts and
running (or active) configuration matches the loads a start-up configuration that has not
start-up configuration (used when machines been updated with the same secure settings
are booted). as those in the running configuration, it may
result in weaker rules that allow malicious
individuals into the network.
1.2.3 Install perimeter firewalls between all 1.2.3.a Examine firewall and router The known (or unknown) implementation Not applicable Customers are responsible for configuring Customers are responsible for configuring
wireless networks and the cardholder data configurations to verify that there are and exploitation of wireless technology firewalls and Microsoft Azure network firewalls and Microsoft Azure native
environment, and configure these firewalls to perimeter firewalls installed between all within a network is a common path for controls that are configured by the network controls between any on-premise
deny or, if traffic is necessary for business wireless networks and the cardholder data malicious individuals to gain access to the customer between any on-premise wireless wireless environments and their IaaS
purposes, permit only authorized traffic between environment. network and cardholder data. If a wireless environments and their IaaS instances. instances.
the wireless environment and the cardholder data device or network is installed without the
environment. entity’s knowledge, a malicious individual
could easily and “invisibly” enter the
network. If firewalls do not restrict access
from wireless networks into the CDE,
malicious individuals that gain unauthorized
1.2.3.b Verify that the firewalls deny or, if access to the wireless network can easily
traffic is necessary for business purposes, connect to the CDE and compromise account
permit only authorized traffic between the information.
wireless environment and the cardholder data
environment. Firewalls must be installed between all
wireless networks and the CDE, regardless of
the purpose of the environment to which the
wireless network is connected. This may
include, but is not limited to, corporate
networks, retail stores, guest networks,
warehouse environments, etc.
1.3 Prohibit direct public access between the 1.3 Examine firewall and router configurations A firewall's intent is to manage and control Microsoft Azure employs network-based The Customer at the time of subscription is The Customer at the time of subscription is
Internet and any system component in the —including but not limited to the choke router all connections between public systems and and host-based boundary protection required to configure the Azure application required to configure the Azure application
cardholder data environment. at the Internet, the DMZ router and firewall, internal systems, especially those that store, devices such as firewalls, load balancers, firewall in order to allow only specified firewall in order to allow only specified
the DMZ cardholder segment, the perimeter process or transmit cardholder data. If direct and ACLs. These devices use mechanisms range of IP addresses to access Microsoft range of IP addresses to access Microsoft
router, and the internal cardholder network access is allowed between public systems such as VLAN isolation, NAT and packet Azure VMs in their CDE. Azure VMs in their CDE.
segment—and perform the following to and the CDE, the protections offered by the filtering to separate customer traffic from
determine that there is no direct access firewall are bypassed, and system Internet and management traffic.
between the Internet and system components components storing cardholder data may be
in the internal cardholder network segment: exposed to compromise.
1.3.1 Implement a DMZ to limit inbound traffic to 1.3.1 Examine firewall and router The DMZ is that part of the network that Not applicable Customers are responsible for Customers are responsible for
only system components that provide authorized configurations to verify that a DMZ is manages connections between the Internet implementing a DMZ network for their CDE implementing a DMZ network for their CDE
publicly accessible services, protocols, and ports. implemented to limit inbound traffic to only (or other untrusted networks), and services and ensuring only authorized services, and ensuring only authorized services,
system components that provide authorized that an organization needs to have available ports and protocols are accessible. ports and protocols are accessible.
publicly accessible services, protocols, and to the public (like a web server).
ports. This functionality is intended to prevent
malicious individuals from accessing the
organization's internal network from the
Internet, or from using services, protocols, or
1.3.2 Limit inbound Internet traffic to IP addresses 1.3.2 Examine firewall and router ports in an unauthorized manner. Not applicable Customers are responsible for Customers are responsible for
within the DMZ. configurations to verify that inbound Internet implementing a DMZ network for their CDE implementing a DMZ network for their CDE
traffic is limited to IP addresses within the and ensuring only authorized services, and ensuring only authorized services,
DMZ. ports and protocols are accessible. ports and protocols are accessible.
1.3.3 Implement anti-spoofing measures to detect 1.3.3 Examine firewall and router Normally a packet contains the IP address of Microsoft Azure implements network Not applicable Not applicable
and block forged source IP addresses from configurations to verify that anti-spoofing the computer that originally sent it so other filtering to prevent spoofed traffic and
entering the network. measures are implemented, for example computers in the network know where the restrict incoming and outgoing traffic to
internal addresses cannot pass from the packet came from. trusted platform components.
(For example, block traffic originating from the Internet into the DMZ. Malicious individuals will often try to spoof
Internet with an internal source address.) (or imitate) the sending IP address so that
the target system believes the packet is from
a trusted source.
Filtering packets coming into the network
helps to, among other things, ensure packets
are not “spoofed” to look like they are
coming from an organization’s own internal
network.
1.3.4 Do not allow unauthorized outbound traffic 1.3.4 Examine firewall and router All traffic outbound from the cardholder data Not applicable Customers are responsible for ensuring Customers are responsible for ensuring
from the cardholder data environment to the configurations to verify that outbound traffic environment should be evaluated to ensure firewall, Microsoft Azure network controls firewall, Microsoft Azure native network
Internet. from the cardholder data environment to the that it follows established, authorized rules. they have access to, and SQL Server firewall controls, and SQL Server firewall settings
Internet is explicitly authorized. Connections should be inspected to restrict settings prevent unauthorized outbound prevent unauthorized outbound traffic
traffic to only authorized communications traffic from the in-scope environment to from the in-scope environment to the
(for example by restricting the Internet. This can be accomplished by Internet. This can be accomplished by
source/destination addresses/ports, and/or configuring outbound traffic ACLs for configuring outbound traffic ACLs for
blocking of content). approved ports and protocols in the approved ports and protocols in the
Microsoft Azure management portal. Microsoft Azure management portal.
1.3.5 Permit only “established” connections into 1.3.5 Examine firewall and router onfigurations A firewall that maintains the "state" (or the Microsoft Azure implements network Not applicable Not applicable
the network. to verify that the firewall permits only status)for each connection through the filtering to prevent spoofed traffic and
established connections into the internal firewall knows whether an apparent restrict incoming and outgoing traffic to
network and denies any inbound connections response to a previous connection is actually trusted platform components. The
not associated with a previously established a valid, authorized response (since it retains Microsoft Azure network is segregated to
session. each connection’s status) or is malicious separate customer traffic from
traffic trying to trick the firewall into allowing management traffic.
the connection.
1.3.6 Place system components that store 1.3.6 Examine firewall and router If cardholder data is located within the DMZ, Microsoft Azure uses network segregation The Customers are responsible for proper The Customers are responsible for proper
cardholder data (such as a database) in an internal configurations to verify that system it is easier for an external attacker to access and NAT to separate customer traffic from placement of any SQL database instance placement of any SQL database instance
network zone, segregated from the DMZ and components that store cardholder data are on this information, since there are fewer layers management traffic. within their defined in-scope networks. within their defined in-scope networks.
other untrusted networks. an internal network zone, segregated from the to penetrate. Securing system components
DMZ and other untrusted networks. that store cardholder data in an internal
network zone that is segregated from the
DMZ and other untrusted networks by a
firewall can prevent unauthorized network
traffic from reaching the system component.
Note: This requirement is not intended to
apply to temporary storage of cardholder
data in volatile memory.
1.3.7 Do not disclose private IP 1.3.7.a Examine firewall and router Restricting the disclosure of internal or Microsoft Azure uses Network Address Not applicable Customers are responsible for ensuring
addresses and routing information to configurations to verify that methods are in private IP addresses is essential to prevent a Translation (NAT) and network segregation servers containing cardholder data are
unauthorized parties. place to prevent the disclosure of private IP hacker “learning” the IP addresses of the to separate customer traffic from placed behind proxy servers/firewalls and
Note: Methods to obscure IP addressing addresses and routing information from internal network, and using that information management traffic. Azure devices are use of RFC1918 address space.
may include, but are not limited to: internal networks to the Internet. to access the network. uniquely identified by their UUID and are
- Network Address Translation Methods used to meet the intent of this authenticated using Kerberos. Azure
(NAT) requirement may vary depending on the managed network devices are identified by
- Placing servers containing specific networking technology being used. RFC 1918 IP addressed.
cardholder data behind proxy For example, the controls used to meet this
servers/firewalls, requirement may be different for IPv4
- Removal or filtering of route 1.3.7.b Interview personnel and examine networks than for IPv6 networks.
advertisements for private documentation to verify that any disclosure of
networks that employ registered private IP addresses and routing information to
addressing, external entities is authorized.
- Internal use of RFC1918 address
space instead of registered
addresses.
1.4 Install personal firewall software or equivalent 1.4.a Examine policies and configuration Portable computing devices that are allowed Not applicable Customers are responsible for ensuring Customers are responsible for ensuring
functionality on any portable computing devices standards to verify: to connect to the Internet from outside the personal firewall software has been personal firewall software has been
(including company and/or employee-owned) that - Personal firewall software or equivalent corporate firewall are more vulnerable to installed on any portable devices that installed on any portable devices that
connect to the Internet when outside the network functionality is required for all portable Internet-based threats. Use of firewall connect to their CDE from the Internet. connect to their CDE from the Internet.
(for example, laptops used by employees), and computing devices (including company and/or functionality (e.g., personal firewall software
which are also used to access the CDE. Firewall (or employee-owned) that connect to the Internet or hardware) helps to protect devices from
equivalent) configurations include: when outside the network (for example, Internet-based attacks, which could use the
laptops used by employees), and which are device to gain access the organization’s
-Specific configuration settings are defined. also used to access the CDE. systems and data once the device is re-
- Specific configuration settings are defined for connected to the network.
- Personal firewall (or equivalent functionality) is personal firewall (or equivalent functionality). The specific firewall configuration settings
actively running. Personal firewall (or equivalent functionality) is are determined by the organization.
configured to actively run. Note: This requirement applies to employee-
- Personal firewall (or equivalent functionality) is - Personal firewall (or equivalent functionality) owned and company-owned portable
not alterable by users of the portable computing is configured to not be alterable by users of the computing devices. Systems that cannot be
devices. portable computing devices. managed by corporate policy introduce
weaknesses and
provide opportunities that malicious
individuals may exploit. Allowing untrusted
systems to connect to an organization’s CDE
could result in
access being granted to attackers and other
1.4.b Inspect a sample of company and/or malicious users.
employee-owneddevices to verify that:
- Personal firewall (or equivalent functionality)
is installed and configured per the
organization’s specific configuration settings.
is actively running.
is not alterable by users of the portable
computing devices.
1.5 Ensure that security policies and operational 1.5 Examine documentation and interview Personnel need to be aware of and following Not applicable Customers are responsible for establishing Customers are responsible for establishing
procedures for managing firewalls are personnel to verify that security policies and security policies and operational procedures and maintaining policies and procedures and maintaining policies and procedures
documented, in use, and known to all affected operational procedures for managing firewalls to ensure firewalls and routers are for managing Microsoft Azure-based for managing Microsoft Azure-based
parties. are: continuously managed to prevent firewall rules on any firewall which isolates firewall rules on any firewall which isolates
- Documented, unauthorized access to the network. their CDE within Microsoft Azure. their CDE within Microsoft Azure.
- In use, and
- Known to all affected parties.
Confidential – This document is intended only for the use of Microsoft Azure customers and should not be distributed.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Malicious individuals (external and internal to an entity) often use vendor default passwords and other vendor default settings to compromise systems. These passwords and settings are well known by hacker communities and are easily determined via public information.

2.1 Always change vendor-supplied defaults and 2.1.a Choose a sample of system components, Malicious individuals (external and internal Microsoft Azure Active Directory password Customers are responsible for not setting The Customer has the responsibility to
remove or disable unnecessary default accounts and attempt to log on (with system to an organization) often use vendor default policy requirements are enforced on the or using default credentials for in-scope remove defaults during their baseline
before installing a system on the network. administrator help) to the devices and settings, account names, and passwords to new passwords supplied by customers PaaS services. configuration process for any in-scope IaaS
This applies to ALL default passwords, including applications using default vendor-supplied compromise operating system software, within the AADUX portal. Customer instances.
but not limited to those used by operating accounts and passwords, to verify that ALL applications, and the systems on which they initiated self service password changes
systems, software that provides security services, default passwords (including those on are installed. Because these default settings require validation of older password.
application and system accounts, point-of-sale operating systems, software that provides are often published and are well known in Administrator reset passwords are required
(POS) terminals, Simple Network Management security services, application and system hacker communities, changing these settings to be changed upon subsequent login.
Protocol (SNMP) community strings, etc.). accounts, POS terminals, and Simple Network will leave systems less vulnerable to attack.
Management Protocol (SNMP) community
strings) have been changed. (Use vendor Even if a default account is not intended to
manuals and sources on the Internet to find be used, changing the default password to a
vendor-supplied accounts/passwords.) strong unique password and then disabling
the account will prevent a malicious
individual from re-enabling the account and
gaining access with the default password.
2.1.b For the sample of system components,
verify that all unnecessary default accounts
(including accounts used by operating systems,
security software, applications, systems, POS
terminals, SNMP, etc.) are removed or
disabled.
2.1.c Interview personnel and examine

supporting documentation to verify that:
- All vendor defaults (including default
passwords on operating systems, software
providing security services, application and
system accounts, POS terminals, Simple
Network Management Protocol (SNMP)
community strings, etc.) are changed before a
system is installed on the network.
- Unnecessary default accounts (including

accounts used by operating systems, security
software, applications, systems, POS terminals,
SNMP, etc.) are removed or disabled before a
system is installed on the network.
2.1.1 For wireless environments connected to the 2.1.1.a Interview responsible personnel and If wireless networks are not implemented Not applicable Not applicable Customers are responsible for ensuring any
cardholder data environment or transmitting examine supporting documentation to verify with sufficient security configurations on-site wireless networks are properly
cardholder data, change ALL wireless vendor that: (including changing default settings), wireless segmented and have proper security such
defaults at installation, including but not limited to - Encryption keys were changed from default sniffers can eavesdrop on the traffic, easily that the Azure VMs within the Customer
default wireless encryption keys, passwords, and at installation capture data and passwords, and easily enter CDE are not at risk of compromise.
SNMP community strings. - Encryption keys are changed anytime anyone and attack the network.
with knowledge of the keys leaves the In addition, the key-exchange protocol for
company or changes positions. older versions of 802.11x encryption (Wired
Equivalent Privacy, or WEP) has been broken
and can render the encryption useless.
2.1.1.b Interview personnel and examine Firmware for devices should be updated to
policies and procedures to verify: support more secure protocols.
- Default SNMP community strings are required
to be changed upon installation.
- Default passwords/phrases on access points
are required to be changed upon installation.
2.1.1.c Examine vendor documentation and

login to wireless devices, with system
administrator help, to verify:
- Default SNMP community strings are not
used.
- Default passwords/passphrases on access
points are not used.
2.1.1.d Examine vendor documentation and

observe wireless configuration settings to
verify firmware on wireless devices is updated
to support strong encryption for:
- Authentication over wireless networks
- Transmission over wireless networks.
2.1.1.e Examine vendor documentation and

observe wireless configuration settings to
verify other security-related wireless vendor
defaults were changed, if applicable.
2.2 Develop configuration standards for all system 2.2.a Examine the organization’s system There are known weaknesses with many For Microsoft Azure, the Security Services Customers are responsible for developing Customers are responsible for developing
components. Assure that these standards address configuration standards for all types of system operating systems, databases, and enterprise team develops security configuration configuration standards for all in-scope configuration standards for all IaaS instance
all known security vulnerabilities and are components and verify the system applications, and there are also known ways standards for systems in the Microsoft PaaS services. Hardening standards should builds. Additional controls for this
consistent with industry-accepted system configuration standards are consistent with to configure these systems to fix security Azure environment that are consistent with follow guidelines published by Microsoft requirement include the use of standard
hardening standards. industry-accepted hardening standards. vulnerabilities. To help those that are not industry-accepted hardening standards. Azure. image file templates for server builds along
Sources of industry-accepted system hardening security experts, a number of security These configurations are documented in with a clearly defined configuration
standards may include, but are not limited to: organizations have established system- system baselines and relevant standard. Hardening standards should
- Center for Internet Security (CIS) hardening guidelines and recommendations, configuration changes are communicated follow guidelines from well-known
- International Organization for Standardization which advise how to correct these to impacted teams (e.g., IPAK team). organizations like CIS, ISO, NIST and SANS.
(ISO) weaknesses. Procedures are implemented to monitor
- SysAdmin Audit Network Security (SANS) Examples of sources for guidance on for compliance against the security
Institute configuration standards include, but are not configuration standards. The security
- National Institute of Standards Technology limited to: www.nist.gov, www.sans.org, and configuration standards for systems in the
(NIST). www.cisecurity.org, www.iso.org, and Microsoft Azure environment are
product vendors. consistent with industry-accepted
System configuration standards must be kept hardening standards and are reviewed at
up to date to ensure that newly identified least annually.
weaknesses are corrected prior to a system
being installed on the network.
2.2 Develop configuration standards for all system There are known weaknesses with many For Microsoft Azure, the Security Services Customers are responsible for developing Customers are responsible for developing
components. Assure that these standards address operating systems, databases, and enterprise team develops security configuration configuration standards for all in-scope configuration standards for all IaaS instance
all known security vulnerabilities and are applications, and there are also known ways standards for systems in the Microsoft PaaS services. Hardening standards should builds. Additional controls for this
consistent with industry-accepted system to configure these systems to fix security Azure environment that are consistent with follow guidelines published by Microsoft requirement include the use of standard
hardening standards. vulnerabilities. To help those that are not industry-accepted hardening standards. Azure. image file templates for server builds along
Sources of industry-accepted system hardening security experts, a number of security These configurations are documented in with a clearly defined configuration
standards may include, but are not limited to: organizations have established system- system baselines and relevant standard. Hardening standards should
- Center for Internet Security (CIS) hardening guidelines and recommendations, configuration changes are communicated follow guidelines from well-known
- International Organization for Standardization which advise how to correct these to impacted teams (e.g., IPAK team). organizations like CIS, ISO, NIST and SANS.
(ISO) 2.2.b Examine policies and interview personnel weaknesses. Procedures are implemented to monitor
- SysAdmin Audit Network Security (SANS) to verify that system configuration standards Examples of sources for guidance on for compliance against the security
Institute are updated as new vulnerability issues are configuration standards include, but are not configuration standards. The security
- National Institute of Standards Technology identified, as defined in Requirement 6.1. limited to: www.nist.gov, www.sans.org, and configuration standards for systems in the
(NIST). www.cisecurity.org, www.iso.org, and Microsoft Azure environment are
product vendors. consistent with industry-accepted
System configuration standards must be kept hardening standards and are reviewed at
up to date to ensure that newly identified least annually.
weaknesses are corrected prior to a system
2.2.c Examine policies and interview personnel being installed on the network.
to verify that system configuration standards
are applied when new systems are configured
and verified as being in place before a system
is installed on the network.
2.2.d Verify that system configuration

standards include the following procedures for
all types of system components:
- Changing of all vendor-supplied defaults and
elimination of unnecessary default accounts
- Implementing only one primary function per
server to prevent functions that require
different security levels from co-existing on the
same server
- Enabling only necessary services, protocols,
daemons, etc., as required for the function of
the system
- Implementing additional security features for
any required services, protocols or daemons
that are considered to be insecure
- Configuring system security parameters to
prevent misuse
- Removing all unnecessary functionality, such
as scripts, drivers, features, subsystems, file
systems, and unnecessary web servers.
2.2.1 Implement only one primary function per 2.2.1.a Select a sample of system components If server functions that need different Not applicable Not applicable The Customer must ensure only one
server to prevent functions that require different and inspect the system configurations to verify security levels are located on the same primary function is in use per IaaS instance.
security levels from co-existing on the same that only one primary function is implemented server, the security level of the functions For example, web servers, database
server. (For example, web servers, database per server. with higher security needs would be reduced servers, and DNS should be implemented
servers, and DNS should be implemented on due to the presence of the lower-security on separate servers.
separate servers.) functions. Additionally, the server functions
with a lower security level may introduce
Note: Where virtualization technologies are in use, security weaknesses to other functions on
implement only one primary function per virtual 2.2.1.b If virtualization technologies are used, the same server. By considering the security
system component. inspect the system configurations to verify that needs of different server functions as part of
only one primary function is implemented per the system configuration standards and
virtual system component or device. related processes, organizations can ensure
that functions requiring different security
levels don’t co-exist on the same server.
2.2.2 Enable only necessary services, protocols, 2.2.2.a Select a sample of system components As stated in Requirement 1.1.6, there are Microsoft Azure software and hardware Customers are responsible for developing Customers are responsible for developing
daemons, etc., as required for the function of the and inspect enabled system services, daemons, many protocols that a business may need (or configurations are reviewed at least configuration standards for all in-scope configuration standards for all IaaS instance
system. and protocols to verify that only necessary have enabled by default) that are commonly quarterly to identify and eliminate any PaaS services. Hardening standards should builds. Additional controls for this
services or protocols are enabled. used by malicious individuals to compromise unnecessary functions, ports, protocols and follow guidelines published by Microsoft requirement include the use of standard
a network. Including this requirement as part services. Azure. image file templates for server builds along
of an organization's configuration standards with a clearly defined configuration
and related processes ensures that only the standard. Hardening standards should
necessary services and protocols are follow guidelines from well-known
2.2.2.b Identify any enabled insecure services, enabled. organizations like CIS, ISO, NIST and SANS.
daemons, or protocols and interview personnel
to verify they are justified per documented
configuration standards.
2.2.3 Implement additional security features for 2.2.3.a Inspect configuration settings to verify Enabling security features before new Not applicable Customers are responsible for determining Customers are responsible for determining
any required services, protocols, or daemons that that security features are documented and servers are deployed will prevent servers if any insecure services are running on in- if insecure services are running on in-scope
are considered to be insecure. implemented for all insecure services, being installed into the environment with scope PaaS services and protect those IaaS instances and protect those services
daemons, or protocols. insecure configurations. services accordingly. accordingly.
Ensuring that all insecure services, protocols,
and daemons are adequately secured with
appropriate security features makes it more
difficult for malicious individuals to take
advantage of commonly used points of
compromise within a network.
2.2.4 Configure system security parameters to 2.2.4.a Interview system administrators and/or System configuration standards and related Azure ensures only authorized personal are Customers are responsible for ensuring Customers are responsible for ensuring
prevent misuse. security managers to verify that they have processes should specifically address security able to configure Azure platform security only authorized personnel can configure only authorized personnel can configure
knowledge of common security parameter settings and parameters that have known controls, using multi-factor access controls PaaS service parameters. IaaS instance configurations.
settings for system components. security implications for each type of system and a documented buiness need.
in use.
2.2.4.b Examine the system configuration In order for systems to be configured
standards to verify that common security securely, personnel responsible for
parameter settings are included. configuration and/or administering systems
must be knowledgeable in the specific
security parameters and settings that apply
to the system.
2.2.4 Configure system security parameters to System configuration standards and related Azure ensures only authorized personal are Customers are responsible for ensuring Customers are responsible for ensuring
prevent misuse. processes should specifically address security able to configure Azure platform security only authorized personnel can configure only authorized personnel can configure
settings and parameters that have known controls, using multi-factor access controls PaaS service parameters. IaaS instance configurations.
security implications for each type of system and a documented buiness need.
in use.
In order for systems to be configured

securely, personnel responsible for
configuration and/or administering systems
2.2.4.c Select a sample of system components must be knowledgeable in the specific
and inspect the common security parameters security parameters and settings that apply
to verify that they are set appropriately and in to the system.
accordance with the configuration standards.
2.2.5 Remove all unnecessary functionality, such 2.2.5.a Select a sample of system components Unnecessary functions can provide Azure ensures that systems in the Azure Customers are responsible for developing Customers are responsible for developing
as scripts, drivers, features, subsystems, file and inspect the configurations to verify that all additional opportunities for malicious platform follow hardening standards and and maintaining hardening standards and and maintaining hardening standards and
systems, and unnecessary web servers. unnecessary functionality (for example, scripts, individuals to gain access to a system. By policies for infrastructure and services policies for services and applications built policies for the IaaS instances and
drivers, features, subsystems, file systems, removing unnecessary functionality, within Azure's control. on PaaS offerings and to ensure those applications and ensure those baseline
etc.) is removed. organizations can focus on securing the baseline standards are applied to each standards are applied to IaaS instance
functions that are required and reduce the service instantiation. server builds.
risk that unknown functions will be
exploited.
Including this in server-hardening standards
2.2.5.b. Examine the documentation and and processes addresses the specific security
security parameters to verify enabled functions implications associated with unnecessary
are documented and support secure functions (for example, by
configuration. removing/disabling FTP or the web server if
the server will not be performing those
2.2.5.c. Examine the documentation and functions).
security parameters to verify that only
documented functionality is present on the
sampled system components.
2.3 Encrypt all non-console administrative access 2.3 Select a sample of system components and If non-console (including remote) Microsoft Azure ensures the use of strong Not applicable Customers are responsible for enforcing
using strong cryptography. verify that non-console administrative access is administration does not use secure cryptography are enforced when accessing the use of strong cryptography for non-
encrypted by performing the following: authentication and encrypted the hypervisor infrastructure. Microsoft console IaaS instance access. Customer
communications, sensitive administrative or Azure also ensures that customers using should validate access to IaaS instances via
operational level information (like the Microsoft Azure Management Portal the Microsoft Azure Management Portal
administrator’s IDs and passwords) can be are able to access their service/IaaS can only be performed using strong
2.3.a Observe an administrator log on to each revealed to an eavesdropper. A malicious consoles with strong cryptography. cryptographic mechanisms (HTTPS/TLS1.2).
system and examine system configurations to individual could use this information to
verify that a strong encryption method is access the network, become administrator,
invoked before the administrator’s password is and steal data.
requested. Clear-text protocols (such as HTTP, telnet,
etc.) do not encrypt traffic or logon details,
2.3.b Review services and parameter files on making it easy for an eavesdropper to
systems to determine that Telnet and other intercept this information.
insecure remote-login commands are not To be considered “strong cryptography,”
available for non-console access. industry-recognized protocols with
appropriate key strengths and key
2.3.c Observe an administrator log on to each management should be in place as applicable
system to verify that administrator access to for the type of technology in use. (Refer to
any web-based management interfaces is "strong cryptography” in the PCI DSS and PA-
encrypted with strong cryptography. DSS Glossary of Terms, Abbreviations, and
Acronyms, and industry standards and best
2.3.d Examine vendor documentation and practices such as NIST SP 800-52 and SP 800-
interview personnel to verify that strong 57, OWASP, etc.)
cryptography for the technology in use is
implemented according to industry best
practices and/or vendor recommendations.
2.4 Maintain an inventory of system components 2.4.a Examine system inventory to verify that a Maintaining a current list of all system Not applicable Customers are responsible for maintaining Customers are responsible for maintaining
that are in scope for PCI DSS. list of hardware and software components is components will enable an organization to a list of all in-scope PaaS services. a list of all in-scope IaaS instances.
maintained and includes a description of accurately and efficiently define the scope of
function/use for each. their environment for implementing PCI DSS
controls. Without an inventory, some system
2.4.b Interview personnel to verify the components could be forgotten, and be
documented inventory is kept current. inadvertently excluded from the
organization’s configuration standards.
2.5 Ensure that security policies and operational 2.5 Examine documentation and interview Personnel need to be aware of and following Not applicable Customers are responsible for maintaining Customers are responsible for maintaining
procedures for managing vendor defaults and personnel to verify that security policies and security policies and daily operational their own policies and procedures for their own policies and procedures for
other security parameters are documented, in use, operational procedures for managing vendor procedures to ensure vendor defaults and configuring security parameters within configuring security parameters within
and known to all affected parties. defaults and other security parameters are: other security parameters are continuously Azure. Azure.
- Documented, managed to prevent insecure configurations.
- In use, and
2.6 Shared hosting providers must protect each 2.6 Perform testing procedures A.1.1 through This is intended for hosting providers that
entity’s hosted environment and cardholder data. A.1.4 detailed in Appendix A: Additional PCI provide shared hosting environments for
These providers must meet specific requirements DSS Requirements for Shared Hosting multiple clients on the same server. When all
as detailed in Appendix A: Additional PCI DSS Providers for PCI DSS assessments of shared data is on the same server and under control
Requirements for Shared Hosting Providers. hosting providers, to verify that shared hosting of a single environment, often the settings on
providers protect their entities’ (merchants these shared servers are not manageable by
and service providers) hosted environment and individual clients. This allows clients to add
data. insecure functions and scripts that impact
the security of all other client environments; Not applicable. Microsoft Azure is not a shared hosting provider. Not applicable. Microsoft Azure is not a shared hosting provider.
and thereby make it easy for a malicious
individual to compromise one client's data
and thereby gain access to all other clients'
data. See Appendix A for details of
requirements.
Requirement 3: Protect stored cardholder data
Protection methods such as encryption, truncation, masking, and hashing are critical components of cardholder data protection. If an intruder circumvents other security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person. Other effective methods of protecting stored data
should also be considered as potential risk mitigation opportunities. For example, methods for minimizing risk include not storing cardholder data unless absolutely necessary, truncating cardholder data if full PAN is not needed, and not sending unprotected PANs using end-user messaging technologies, such as e-mail and instant messaging.
Please refer to the PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms for definitions of “strong cryptography” and other PCI DSS terms.

3.1 Keep cardholder data storage to a minimum by 3.1.a Examine the data retention and disposal A formal data retention policy identifies what Azure is responsible for ensuring the Customers are responsible for limiting CHD Customers are responsible for limiting CHD
implementing data retention and disposal policies, policies, procedures and processes to verify data needs to be retained, and where that customer data designated for deletion are storage, defining retention requirements storage, defining retention requirements
procedures and processes that include at least the they include at least the following: data resides so it can be securely destroyed securely decommissioned using NIST 800- for CHD, deleting CHD in a timely fashion, for CHD, deleting CHD in a timely fashion,
following for all cardholder data (CHD) storage: - Legal, regulatory, and business requirements or deleted as soon as it is no longer needed. 88 compliant protocols specified in its ensuring all CHD is securely deleted or ensuring all CHD is securely deleted or
- Limiting data storage amount and retention time for data retention, including The only cardholder data that may be stored Secure Disposal policies. destroyed and verifying timely and destroyed and verifying timely and
to that which is required for legal, regulatory, and - Specific requirements for retention of after authorization is the primary account appropriate deletion on a quarterly basis. appropriate deletion on a quarterly basis.
business requirements cardholder data (for example, cardholder data number or PAN (rendered unreadable),
- Processes for secure deletion of data when no needs to be held for X period for Y business expiration date, cardholder name, and
longer needed reasons). service code.
- Specific retention requirements for cardholder - Secure deletion of cardholder data when no
data longer needed for legal, regulatory, or business Understanding where cardholder data is
- A quarterly process for identifying and securely reasons located is necessary so it can be properly
deleting stored cardholder data that exceeds - Coverage for all storage of cardholder data retained or disposed of when no longer
defined retention. - A quarterly process for identifying and needed. In order to define appropriate
securely deleting stored cardholder data that retention requirements, an entity first needs
exceeds defined retention requirements. to understand their own business needs as
well as any legal or regulatory obligations
that apply to their industry, and/or that apply
to the type of data being retained.
Identifying and deleting stored data that has

3.1.b Interview personnel to verify that: exceeded its specified retention period
- All locations of stored cardholder data are prevents unnecessary retention of data that
included in the data retention and disposal is no longer needed. This process may be
processes.
automated or manual or a combination of
- Either a quarterly automatic or manual both. For example, a programmatic
process is in place to identify and securely procedure (automatic or manual) to locate
delete stored cardholder data. and remove data and/or a manual review of
- The quarterly automatic or manual process is data storage areas could be performed.
performed for all locations of cardholder data. Implementing secure deletion methods
ensure that the data cannot be retrieved
when it is no longer needed.
3.1.c For a sample of system components that
store cardholder data: Remember, if you don't need it, don't store
- Examine files and system records to verify it!
that the data stored does not exceed the
requirements defined in the data retention
policy
- Observe the deletion mechanism to verify
data is deleted securely.
3.2 Do not store sensitive authentication data 3.2.a For issuers and/or companies that Sensitive authentication data consists of full Not applicable Customers are responsible for ensuring Customers are responsible for ensuring
after authorization (even if encrypted). If sensitive support issuing services and store sensitive track data, card validation code or value, and authentication data, track data, verification authentication data, track data, verification
authentication data is received, render all data authentication data, review policies and PIN data. Storage of sensitive authentication codes and PINs are not stored after codes and PINs are not stored after
unrecoverable upon completion of the interview personnel to verify there is a data after authorization is prohibited! This authorization, unless they are Issuers. authorization, unless they are Issuers.
authorization process. documented business justification for the data is very valuable to malicious individuals
storage of sensitive authentication data. as it allows them to generate counterfeit
It is permissible for issuers and companies that payment cards and create fraudulent
support issuing services to store sensitive transactions.
authentication data if: Entities that issue payment cards or that
- There is a business justification and perform or support issuing services will often
- The data is stored securely. create and control sensitive authentication
data as part of the issuing function. It is
Sensitive authentication data includes the data as 3.2.b For issuers and/or companies that allowable for companies that perform,
cited in the following Requirements 3.2.1 through support issuing services and store sensitive facilitate, or support issuing services to store
3.2.3: authentication data, examine data stores and sensitive authentication data ONLY IF they
system configurations to verify that the have a legitimate business need to store such
sensitive authentication data is secured. data.
It should be noted that all PCI DSS
requirements apply to issuers, and the only
exception for issuers and issuer processors is
that sensitive authentication data may be
retained if there is a legitimate reason to do
so. A legitimate reason is one that is
3.2.c For all other entities, if sensitive necessary for the performance of the
authentication data is received, review policies function being provided for the issuer and
and procedures, and examine system not one of convenience. Any such data must
configurations to verify the data is not retained be stored securely and in accordance with all
after authorization. PCI DSS and specific payment brand
requirements.
For non-issuing entities, retaining sensitive
authentication data post-authorization is not
permitted.
3.2.d For all other entities, if sensitive

authentication data is received, review
procedures and examine the processes for
securely deleting the data to verify that the
data is unrecoverable.
3.2.1 Do not store the full contents of any track3.2.1 For a sample of system components, If full track data is stored, malicious Not applicable Customers are responsible for ensuring Customers are responsible for ensuring
(from the magnetic stripe located on the back of a
examine data sources including but not limited individuals who obtain that data can use it to authentication data, track data, verification authentication data, track data, verification
card, equivalent data contained on a chip, or to the following, and verify that the full reproduce payment cards and complete codes and PINs are not stored after codes and PINs are not stored after
elsewhere) after authorization. This data is contents of any track from the magnetic stripe fraudulent transactions. authorization, unless they are Issuers. authorization, unless they are Issuers.
alternatively called full track, track, track 1, track
on the back of card or equivalent data on a
2, and magnetic-stripe data. chip are not stored after authorization:
- Incoming transaction data
Note: In the normal course of business, the - All logs (for example, transaction, history,
following data elements from the magnetic stripe debugging, error)
may need to be retained: - History files
- The cardholder’s name - Trace files
- Primary account number (PAN) - Several database schemas
- Expiration date - Database contents.
- Service code
To minimize risk, store only these data elements as

needed for business.
3.2.2 Do not store the card verification code or 3.2.2 For a sample of system components, The purpose of the card validation code is to Not applicable Customers are responsible for ensuring Customers are responsible for ensuring
value (three-digit or four-digit number printed on examine data sources, including but not protect "card-not-present" transactions— authentication data, track data, verification authentication data, track data, verification
the front or back of a payment card) used to verify limited to the following, and verify that the Internet or mail order/telephone order codes and PINs are not stored after codes and PINs are not stored after
card-not-present transactions after authorization. three-digit or four-digit card verification code (MO/TO) transactions—where the consumer authorization, unless they are Issuers. authorization, unless they are Issuers.
or value printed on the front of the card or the and the card are not present.
signature panel (CVV2, CVC2, CID, CAV2 data) If this data is stolen, malicious individuals can
is not stored after authorization: execute fraudulent Internet and MO/TO
- Incoming transaction data transactions.
- All logs (for example, transaction, history,
debugging, error)
- History files
- Trace files
- Several database schemas
- Database contents.
3.2.3 Do not store the personal identification 3.2.3 For a sample of system components, These values should be known only to the Not applicable Customers are responsible for ensuring Customers are responsible for ensuring
number (PIN) or the encrypted PIN block after examine data sources, including but not card owner or bank that issued the card. If authentication data, track data, verification authentication data, track data, verification
authorization. limited to the following and verify that PINs this data is stolen, malicious individuals can codes and PINs are not stored after codes and PINs are not stored after
and encrypted PIN blocks are not stored after execute fraudulent PIN-based debit authorization, unless they are Issuers. authorization, unless they are Issuers.
authorization: transactions (for example, ATM withdrawals).
- Incoming transaction data
- All logs (for example, transaction, history,
debugging, error)
- History files
- Trace files
- Several database schemas
- Database contents.
3.3 Mask PAN when displayed (the first six and last 3.3.a Examine written policies and procedures The display of full PAN on items such as Not applicable Customers are responsible for masking PAN Customers are responsible for masking PAN
four digits are the maximum number of digits to for masking the display of PANs to verify: computer screens, payment card receipts, data, managing cryptographic keys, and data, managing cryptographic keys, and
be displayed), such that only personnel with a - A list of roles that need access to displays of faxes, or paper reports can result in this data documenting all related procedures. documenting all related procedures.
legitimate business need can see the full PAN. full PAN is documented, together with a being obtained by unauthorized individuals
legitimate business need for each role to have and used fraudulently. Ensuring that full PAN
Note: This requirement does not supersede stricter such access. is only displayed for those with a legitimate
requirements in place for displays of cardholder - PAN must be masked when displayed such business need to see the full PAN minimizes
data—for example, legal or payment card brand that only personnel with a legitimate business the risk of unauthorized persons gaining
requirements for point-of-sale (POS) receipts. need can see the full PAN. access to PAN data.
- All other roles not specifically authorized to This requirement relates to protection of
see the full PAN must only see masked PANs. PAN displayed on screens, paper receipts,
printouts, etc., and is not to be confused with
Requirement 3.4 for protection of PAN when
stored in files, databases, etc.
3.3.b Examine system configurations to verify
that full PAN is only displayed for users/roles
with a documented business need, and that
PAN is masked for all other requests.
3.3.c Examine displays of PAN (for example, on

screen, on paper receipts) to verify that PANs
are masked when displaying cardholder data,
and that only those with a legitimate business
need are able to see full PAN.
3.4 Render PAN unreadable anywhere it is stored 3.4.a Examine documentation about the PANs stored in primary storage (databases, Not applicable Customers are responsible for masking PAN Customers are responsible for masking PAN
(including on portable digital media, backup system used to protect the PAN, including the or flat files such as text files spreadsheets) as data, managing cryptographic keys, and data, managing cryptographic keys, and
media, and in logs) by using any of the following vendor, type of system/process, and the well as non-primary storage (backup, audit documenting all related procedures. documenting all related procedures.
approaches: encryption algorithms (if applicable) to verify logs, exception or troubleshooting logs) must
- One-way hashes based on strong cryptography, that the PAN is rendered unreadable using any all be protected.
(hash must be of the entire PAN) of the following methods: One-way hash functions based on strong
- Truncation (hashing cannot be used to replace - One-way hashes based on strong cryptography can be used to render
the truncated segment of PAN) cryptography, cardholder data unreadable. Hash functions
- Index tokens and pads (pads must be securely - Truncation are appropriate when there is no need to
stored) - Index tokens and pads, with the pads being retrieve the original number (one-way
- Strong cryptography with associated key- securely stored hashes are irreversible). It is recommended,
management processes and procedures. - Strong cryptography, with associated key- but not currently a requirement, that an
management processes and procedures. additional, random input value be added to
Note: It is a relatively trivial effort for a malicious the cardholder data prior to hashing to
individual to reconstruct original PAN data if they reduce the feasibility of an attacker
have access to both the truncated and hashed comparing the data against (and deriving the
version of a PAN. Where hashed and truncated PAN from) tables of pre-computed hash
versions of the same PAN are present in an entity’s 3.4.b Examine several tables or files from a values.
environment, additional controls must be in place sample of data repositories to verify the PAN is The intent of truncation is to permanently
to ensure that the hashed and truncated versions rendered unreadable (that is, not stored in remove a segment of PAN data so that only a
cannot be correlated to reconstruct the original plain-text). portion (generally not to exceed the first six
PAN. and last four digits) of the PAN is stored.
3.4.c Examine a sample of removable media An index token is a cryptographic token that
(for example, back-up tapes) to confirm that replaces the PAN based on a given index for
the PAN is rendered unreadable. an unpredictable value. A one-time pad is a
system in which a randomly generated
private key is used only once to encrypt a
message that is then decrypted using a
matching one-time pad and key.
The intent of strong cryptography (as defined
in the PCI DSS and PA-DSS Glossary of Terms,
Abbreviations, and Acronyms) is that the
encryption be based on an industry-tested
and accepted algorithm (not a proprietary or
"home-grown" algorithm) with strong
cryptographic keys.
By correlating hashed and truncated versions
of a given PAN, a malicious individual may
individual to reconstruct original PAN data if they reduce the feasibility of an attacker
have access to both the truncated and hashed comparing the data against (and deriving the
version of a PAN. Where hashed and truncated PAN from) tables of pre-computed hash
versions of the same PAN are present in an entity’s values.
environment, additional controls must be in place The intent of truncation is to permanently
to ensure that the hashed and truncated versions remove a segment of PAN data so that only a
cannot be correlated to reconstruct the original portion (generally not to exceed the first six
PAN. and last four digits) of the PAN is stored.
An index token is a cryptographic token that
replaces the PAN based on a given index for
an unpredictable value. A one-time pad is a
system in which a randomly generated
3.4.d Examine a sample of audit logs to private key is used only once to encrypt a
confirm that the PAN is rendered unreadable message that is then decrypted using a
or removed from the logs. matching one-time pad and key.
The intent of strong cryptography (as defined
in the PCI DSS and PA-DSS Glossary of Terms,
Abbreviations, and Acronyms) is that the
3.4.e If hashed and truncated versions of the encryption be based on an industry-tested
same PAN are present in the environment, and accepted algorithm (not a proprietary or
examine implemented controls to verify that "home-grown" algorithm) with strong
the hashed and truncated versions cannot be cryptographic keys.
correlated to reconstruct the original PAN. By correlating hashed and truncated versions
of a given PAN, a malicious individual may
easily derive the original PAN value. Controls
that prevent the correlation of this data will
help ensure that the original PAN remains
unreadable.
3.4.1 If disk encryption is used (rather than file- or 3.4.1.a If disk encryption is used, inspect the The intent of this requirement is to address Not applicable Not applicable Customers are responsible for managing
column-level database encryption), logical access configuration and observe the authentication the acceptability of disk-level encryption for cryptographic keys and documenting all
must be managed separately and independently process to verify that logical access to rendering cardholder data unreadable. Disk- related procedures.
of native operating system authentication and encrypted file systems is implemented via a level encryption encrypts the entire
access control mechanisms (for example, by not mechanism that is separate from the native disk/partition on a computer and
using local user account databases or general operating system’s authentication mechanism automatically decrypts the information when
network login credentials). Decryption keys must (for example, not using local user account an authorized user requests it. Many disk-
not be associated with user accounts. databases or general network login encryption solutions intercept operating
credentials). system read/write operations and carry out
Note: This requirement applies in addition to all the appropriate cryptographic
other PCI DSS encryption and key-management transformations without any special action
requirements. by the user other than supplying a password
or pass phrase upon system startup or at the
beginning of a session. Based on these
3.4.1.b Observe processes and interview characteristics of disk-level encryption, to be
personnel to verify that cryptographic keys are compliant with this requirement, the method
stored securely (for example, stored on cannot:
removable media that is adequately protected 1) Use the same user account authenticator
with strong access controls). as the operating system, or
2) Use a decryption key that is associated
with or derived from the system’s local user
account database or general network login
3.4.1.c Examine the configurations and observe credentials.
the processes to verify that cardholder data on Full disk encryption helps to protect data in
removable media is encrypted wherever the event of physical loss of a disk and
stored. therefore may be appropriate for portable
devices that store cardholder data.
Note: If disk encryption is not used to encrypt
removable media, the data stored on this
media will need to be rendered unreadable
through some other method.
3.5 Document and implement procedures to 3.5 Examine key-management policies and Cryptographic keys must be strongly For customers using Key Vault: Customers are responsible for managing Customers are responsible for managing
protect keys used to secure stored cardholder procedures to verify processes are specified to protected because those who obtain access Microsoft Azure ensures that customer key cryptographic keys and documenting all cryptographic keys and documenting all
data against disclosure and misuse: protect keys used for encryption of cardholder will be able to decrypt data. Key-encrypting vaults are logically isolated from each related procedures. related procedures.
data against disclosure and misuse and include keys, if used, must be at least as strong as other, and logically isolated from the
Note: This requirement applies to keys used to at least the following: the data-encrypting key in order to ensure management plane of the Key Vault For customers using Key Vault: For customers using Key Vault:
encrypt stored cardholder data, and also applies to - Access to keys is restricted to the fewest proper protection of the key that encrypts service. Key Vault is designed so that Customers are responsible for defining Customers are responsible for defining
key-encrypting keys used to protect data- number of custodians necessary. the data as well as the data encrypted with Microsoft does not have any standing their key management policies and their key management policies and
encrypting keys—such key-encrypting keys must - Key-encrypting keys are at least as strong as that key. access to the customer’s key vault. procedures, including use of Key Vault. procedures, including use of Key Vault.
be at least as strong as the data-encrypting key. the data-encrypting keys they protect.
- Key-encrypting keys are stored separately The requirement to protect keys from Keys are safeguarded by Microsoft Azure,
from data-encrypting keys. disclosure and misuse applies to both data- using industry-standard algorithms, key
- Keys are stored securely in the fewest encrypting keys and key-encrypting keys. lengths, and hardware security modules
possible locations and forms. Because one key-encrypting key may grant (HSMs).
access to many data-encrypting keys, the
key-encrypting keys require strong A key stored in Microsoft Azure Key Vault
protection measures. may be used to protect another key.
3.5.1 Additional requirement for service providers 3.5.1 Interview responsible personnel and Note: This requirement applies only when For customers using Key Vault: Customers are responsible for managing Customers are responsible for managing
only: Maintain a documented description of the reviewdocumentation to verify that a the entity being assessed is a service Microsoft Azure ensures that customer key cryptographic keys and documenting all cryptographic keys and documenting all
cryptographic architecture that includes: document exists to describe the cryptographic provider. vaults are logically isolated from each related procedures. related procedures.
- Details of all algorithms, protocols, and keys used architecture, including: Maintaining current documentation of the other, and logically isolated from the
for the protection of cardholder data, including - Details of all algorithms, protocols, and keys cryptographic architecture enables an entity management plane of the Key Vault For customers using Key Vault: For customers using Key Vault:
key strength and expiry date used for the protection of cardholder data, to understand the algorithms, protocols, and service. Key Vault is designed so that Customers are responsible for defining Customers are responsible for defining
- Description of the key usage for each key including key strength and expiry date cryptographic keys used to protect Microsoft does not have any standing their key management policies and their key management policies and
- Inventory of any HSMs and other SCDs used for - Description of the key usage for each key cardholder data, as well as the devices that access to the customer’s key vault. procedures, including use of Key Vault. procedures, including use of Key Vault.
key management - Inventory of any HSMs and other SCDs used generate, use and protect the keys. This
for key management allows an entity to keep pace with evolving Keys are safeguarded by Microsoft Azure,
threats to their architecture, enabling them using industry-standard algorithms, key
to plan for updates as the assurance levels lengths, and hardware security modules
provided by different algorithms/key (HSMs).
strengths changes. Maintaining
such documentation also allows an entity to A key stored in Microsoft Azure Key Vault
detect lost or missing keys or key- may be used to protect another key.
management devices, and identify
unauthorized additions to their cryptographic
architecture.
3.5.2 Restrict access to cryptographic 3.5.2 Examine user access lists to verify that There should be very few who have access to For customers using Key Vault: Customers are responsible for managing Customers are responsible for managing
keys to the fewest number of custodians access to keys is restricted to the fewest cryptographic keys reducing the potential for Key Vault supports granular access policies, cryptographic keys and documenting all cryptographic keys and documenting all
necessary. number of custodians necessary. rending cardholder data visible by that allow Key Vault owner to grant access related procedures. related procedures.
unauthorized parties), usually only those who to specific functionality to perform specific
have key custodian responsibilities. operations to specific entities. For customers using Key Vault: For customers using Key Vault:
Customers are responsible for defining Customers are responsible for defining
their key management policies and their key management policies and
procedures, including use of Key Vault. procedures, including use of Key Vault.
3.5.3 Store secret and private keys used to 3.5.3.a Examine documented procedures to Cryptographic keys must be stored securely For customers using Key Vault: Customers are responsible for managing Customers are responsible for managing
encrypt/decrypt cardholder data in one (or more) verify that cryptographic keys used to to prevent unauthorized or unnecessary Keys are stored in the specific key vaults cryptographic keys and documenting all cryptographic keys and documenting all
of the following forms at all times: encrypt/decrypt cardholder data must only access that could result in the exposure of identified by the customer. related procedures. related procedures.
- Encrypted with a key-encrypting key that is at exist in one (or more) of the following forms at cardholder data.
least as strong as the data-encrypting key, and all times. It is not intended that the key-encrypting Key Vault can be accessed simultaneously For customers using Key Vault: For customers using Key Vault:
that is stored separately from the data-encrypting - Encrypted with a key-encrypting key that is at keys be encrypted, however they are to be and globally by multiple applications, which Customers are responsible for the Customers are responsible for the
key least as strong as the data-encrypting key, and protected against disclosure and misuse as reduces the need to copy a key and store in management of their keys outside of Key management of their keys outside of Key
- Within a secure cryptographic device (such as a that is stored separately from the data- defined in multiple locations. Vault, and for determining which key Vault, and for determining which key
hardware (host) security module (HSM) or PTS- encrypting key Requirement 3.5. If key-encrypting keys are vault(s) to use. vault(s) to use.
approved point-of-interaction device) - Within a secure cryptographic device (such as used, storing the key-encrypting keys in
- As at least two full-length key components or key a hardware (host) security module (HSM) or physically and/or logically separate locations
shares, in accordance with an industry- accepted PTS-approved from the data-encrypting keys reduces the
method point-of-interaction device) risk of unauthorized access to both keys.
- As key components or key shares, in
Note: It is not required that public keys be accordance with an industry-accepted method
stored in one of these forms.
3.5.3.b Examine system configurations and key

storage locations to verify that cryptographic
keys used to encrypt/decrypt cardholder data
exist in one (or more) of the following form at
all times.
• Encrypted with a key-encrypting key
• Within a secure cryptographic device (such as
a hardware (host) security module (HSM) or
PTS-approved point-of-interaction device)
• As key components or key shares, in
accordance with an industry-accepted method
3.5.3.c Wherever key-encrypting keys are used,

examine system configurations and key
storage locations to verify:
- Key-encrypting keys are at least as strong as
the data- encrypting keys they protect
- Key-encrypting keys are stored separately
from data-
encrypting keys.
3.5.4 Store cryptographic keys in the 3.5.4 Examine key storage locations and Storing cryptographic keys in the fewest
fewest possible locations observe processes to verify that keys are locations helps an organization to keep track
stored in the fewest possible locations. and monitor all key locations, and minimizes
the potential for keys to be exposed to
unauthorized parties.
3.6 Fully document and implement all key- 3.6.a Additional testing procedure for service The manner in which cryptographic keys are Not applicable Customers which are service providers are Customers which are service providers are
management processes and procedures for provider assessments only: If the service managed is a critical part of the continued responsible for managing cryptographic responsible for managing cryptographic
cryptographic keys used for encryption of provider shares keys with their customers for security of the encryption solution. A good keys and documenting all related keys and documenting all related
cardholder data, including the following: transmission or storage of cardholder data, key-management process, whether it is procedures for their customers. procedures for their customers.
examine the documentation that the service manual or automated as part of the
Note: Numerous industry standards for key provider provides to their customers to verify encryption product, is based on industry
management are available from various resources that it includes guidance on how to securely standards and addresses all key elements at
including NIST, which can be found at transmit, store, and update customers’ keys, in 3.6.1 through 3.6.8.
http://csrc.nist.gov. accordance with Requirements 3.6.1 through Providing guidance to customers on how to
3.6.8 below. securely transmit, store and update
cryptographic keys can help prevent keys
from being mismanaged or disclosed to
unauthorized entities.
3.6.b Examine the key-management This requirement applies to keys used to
procedures and processes for keys used for encrypt stored cardholder data, and any
encryption of cardholder data and perform the respective key-encrypting keys.
following:
3.6.1 Generation of strong cryptographic keys 3.6.1.a Verify that key-management The encryption solution must generate For customers using Key Vault: Customers are responsible for managing Customers are responsible for managing
procedures specify how to generate strong strong keys, as defined in the PCI DSS and When generating keys in Key Vault, Azure is cryptographic keys and documenting all cryptographic keys and documenting all
keys. PA-DSS Glossary of Terms, Abbreviations, responsible for generating keys per the related procedures. related procedures.
and Acronyms under "strong cryptography." customers specifications. Keys are
Use of strong cryptographic keys significantly generated using a HSM. For customers using Key Vault: For customers using Key Vault:
3.6.1.b Observe the method for generating increases the level of security of encrypted Customers are responsible for defining key Customers are responsible for defining key
keys to verify that strong keys are generated. cardholder data. characteristics whether generated in characteristics whether generated in
Microsoft Azure or imported from their Microsoft Azure or imported from their
environment. environment.
3.6.2 Secure cryptographic key distribution 3.6.2.a Verify that key-management The encryption solution must distribute keys For customers using Key Vault: Customers are responsible for managing Customers are responsible for managing
procedures specify how to securely distribute securely, meaning the keys are distributed The bring your own key (BYOK) tool cryptographic keys and documenting all cryptographic keys and documenting all
keys. only to custodians identified in 3.5.1, and are encapsulates the customer key, and targets related procedures. related procedures.
never distributed in the clear. a specific security vault which is tied to a
3.6.2.b Observe the method for distributing specific Azure subscription. The key can For customers using Key Vault: For customers using Key Vault:
keys to verify that keys are distributed only be imported to the defined Customers are responsible for selecting the Customers are responsible for selecting the
securely. subscription’s key vault, in the specified correct key vault for an import using the correct key vault for an import using the
region. This process uses the encryption BYOK tool. BYOK tool.
procedures provided by the hardware
manufacturer. Customers receive a
notification that the transfer was
successful.
3.6.3 Secure cryptographic key storage 3.6.3.a Verify that key-management The encryption solution must store keys For customers using Key Vault: Customers are responsible for managing Customers are responsible for managing
procedures specify how to securely store keys. securely, for example, by encrypting them Keys are stored in the HSMs, and are cryptographic keys and documenting all cryptographic keys and documenting all
with a key-encrypting key. Storing keys secured using the hardware manufacturer’s related procedures. related procedures.
3.6.3.b Observe the method for storing keys to without proper protection could provide cryptographic security. The metadata on
verify that keys are stored securely. access to attackers, resulting in the keys in stored in Azure Storage in an
decryption and exposure of cardholder data. encrypted state, which is unique to each
key vault.
3.6.4 Cryptographic key changes for keys that 3.6.4.a Verify that key-management A cryptoperiod is the time span during which For customers using Key Vault: Customers are responsible for creating and Customers are responsible for creating and
have reached the end of their cryptoperiod (for procedures include a defined cryptoperiod for a particular cryptographic key can be used Key Vault supports functionality to update enforcing defined cryptoperiods for which enforcing defined cryptoperiods for which
example, after a defined period of time has passed each key type in use and define a process for for its defined purpose. Considerations for or roll keys, which is defined by the a particular cryptographic key can be used. a particular cryptographic key can be used.
and/or after a certain amount of cipher-text has key changes at the end of the defined defining the cryptoperiod include, but are customer.
been produced by a given key), as defined by the cryptoperiod(s). not limited to, the strength of the underlying For customers using Key Vault: For customers using Key Vault:
associated application vendor or key owner, and algorithm, size or length of the key, risk of Customers are responsible for setting the Customers are responsible for setting the
based on industry best practices and guidelines key compromise, and the sensitivity of the cryptoperiod for a key in Key Vault. cryptoperiod for a key in Key Vault.
(for example, NIST Special Publication 800-57). data being encrypted.
3.6.4.b Interview personnel to verify that keys Periodic changing of encryption keys when
are changed at the end of the defined the keys have reached the end of their
cryptoperiod(s). cryptoperiod is imperative to minimize the
risk of someone’s obtaining the encryption
keys, and using them to decrypt data.
3.6.5 Retirement or replacement (for example, 3.6.5.a Verify that key-management Keys that are no longer used or needed, or For customers using Key Vault: Customers are responsible for retiring and Customers are responsible for retiring and
archiving, destruction, and/or revocation) of keys procedures specify processes for the following: keys that are known or suspected to be Key Vault supports functionality to retire or replacing keys as necessary when replacing keys as necessary when
as deemed necessary when the integrity of the - The retirement or replacement of keys when compromised, should be revoked and/or replace, which is defined by the customer. cryptographic keys are suspected of being cryptographic keys are suspected of being
key has been weakened (for example, departure the integrity of the key has been weakened destroyed to ensure that the keys can no weakened or compromised. weakened or compromised.
of an employee with knowledge of a clear-text key - The replacement of known or suspected longer be used. If such keys need to be kept
component), or keys are suspected of being compromised keys. (for example, to support archived, encrypted For customers using Key Vault: For customers using Key Vault:
compromised. - Any keys retained after retiring or replacing data) they should be strongly protected. Customers are responsible for setting the Customers are responsible for setting the
are not used for encryption operations The encryption solution should provide for lifecycle of the key in Key Vault. lifecycle of the key in Key Vault.
Note: If retired or replaced cryptographic keys and facilitate a process to replace keys that
need to be retained, these keys must be securely are due for replacement or that are known to
archived (for example, by using a key-encryption be, or suspected of being, compromised.
key). Archived cryptographic keys should only be
used for decryption/verification purposes.
key has been weakened (for example, departure destroyed to ensure that the keys can no weakened or compromised. weakened or compromised.
of an employee with knowledge of a clear-text key longer be used. If such keys need to be kept
component), or keys are suspected of being (for example, to support archived, encrypted For customers using Key Vault: For customers using Key Vault:
compromised. data) they should be strongly protected. Customers are responsible for setting the Customers are responsible for setting the
The encryption solution should provide for lifecycle of the key in Key Vault. lifecycle of the key in Key Vault.
Note: If retired or replaced cryptographic keys and facilitate a process to replace keys that
need to be retained, these keys must be securely are due for replacement or that are known to
archived (for example, by using a key-encryption be, or suspected of being, compromised.
key). Archived cryptographic keys should only be
used for decryption/verification purposes.
3.6.5.b Interview personnel to verify the

following processes are implemented:
- Keys are retired or replaced as necessary
when the integrity of the key has been
weakened, including when someone with
knowledge of the key leaves the company.
- Keys are replaced if known or suspected to be
compromised.
- Any keys retained after retiring or replacing
are not used for encryption operations.
3.6.6 If manual clear-text cryptographic key- 3.6.6.a Verify that manual clear-text key- Split knowledge and dual control of keys are Not applicable Customers are responsible for managing Customers are responsible for managing
management operations are used, these management procedures specify processes for used to eliminate the possibility of one cryptographic keys and documenting all cryptographic keys and documenting all
operations must be managed using split the use of the following: person having access to the whole key. This related procedures. related procedures.
knowledge and dual control. - Split knowledge of keys, such that key control is applicable for manual key-
components are under the control of at least management operations, or where key
Note: Examples of manual key-management two people who only have knowledge of their management is not implemented by the
operations include, but are not limited to: key own key components; AND encryption product.
generation, transmission, loading, storage and - Dual control of keys, such that at least two
destruction. people are required to perform any key- Split knowledge is a method in which two or
management operations and no one person more people separately have key
has access to the authentication materials (for components, where each person knows only
example, passwords or keys) of another. their own key component, and the individual
key components convey no knowledge of the
original cryptographic key).
3.6.6 b Interview personnel and/or observe Dual control requires two or more people to
processes to verify that manual clear-text keys perform a function, and no single person can
are managed with: access or use the authentication materials of
- Split knowledge, AND another.
- Dual control
3.6.7 Prevention of unauthorized substitution of 3.6.7.a Verify that key-management The encryption solution should not allow for For customers using Key Vault: Customers are responsible for managing Customers are responsible for managing
cryptographic keys. procedures specify processes to prevent or accept substitution of keys coming from Key Vaults are logically separated, and do cryptographic keys and documenting all cryptographic keys and documenting all
unauthorized substitution of keys. unauthorized sources or unexpected not support cross-directory authorization. related procedures. related procedures.
processes. As a result, unauthorized substitution is
3.6.7.b Interview personnel and/or observe prevented.
processes to verify that unauthorized
substitution of keys is prevented.
3.6.8 Requirement for cryptographic key 3.6.8.a Verify that key-management This process will help ensure individuals that Not applicable Customers are responsible for managing Customers are responsible for managing
custodians to formally acknowledge that they procedures specify processes for key act as key custodians commit to the key- cryptographic keys and documenting all cryptographic keys and documenting all
understand and accept their key-custodian custodians to acknowledge (in writing or custodian role and understand and accept related procedures. related procedures.
responsibilities. electronically) that they understand and accept the responsibilities.
their key-custodian responsibilities.
3.6.8.b Observe documentation or other

evidence showing that key custodians have
acknowledged (in writing or electronically) that
they understand and accept their key-
custodian responsibilities.
3.7 Ensure that security policies and operational 3.7 Examine documentation interview Personnel need to be aware of and following Not applicable Customers are responsible for managing Customers are responsible for managing
procedures for protecting stored cardholder data personnel to verify that security policies and security policies and documented cryptographic keys and documenting all cryptographic keys and documenting all
are documented, in use, and known to all affected operational procedures for protecting stored operational procedures for managing the related procedures. related procedures.
parties. cardholder data are: secure storage of cardholder data on a
- Documented, continuous basis.
- In use, and
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Sensitive information must be encrypted during transmission over networks that are easily accessed by malicious individuals. Misconfigured wireless networks and vulnerabilities in legacy encryption and authentication protocols continue to be targets of malicious individuals who exploit these vulnerabilities to gain privileged access to cardholder data
environments

4.1 Use strong cryptography and security 4.1.a Identify all locations where cardholder Sensitive information must be encrypted Not applicable Customers are responsible for ensuring Customers are responsible for ensuring
protocols (for example, TLS, IPSEC, SSH, etc.) to data is transmitted or received over open, during transmission over public networks, strong cryptography and secure protocols strong cryptography and secure protocols
safeguard sensitive cardholder data during public networks. Examine documented because it is easy and common for a are used to connect to their Azure are used to connect to their Azure
transmission over open, public networks, including standards and compare to malicious individual to intercept and/or environment. environment.
the following: systemconfigurations to verify the use of divert data while in transit.
- Only trusted keys and certificates are accepted. security protocols and strong cryptography for Secure transmission of cardholder data
- The protocol in use only supports secure versions all locations. requires using trusted keys/certificates, a
or configurations. secure protocol for transport, and proper
- The encryption strength is appropriate for the encryption strength to encrypt cardholder
encryption methodology in use. data. Connection requests
4.1.b Review documented policies and from systems that do not support the
Note: Where SSL/early TLS is used, the procedures to verify processes are specified for required encryption strength, and that
requirements in Appendix A2 must be completed. the following: would result in an insecure connection,
- For acceptance of only trusted keys and/or should not be accepted.
Examples of open, public networks include certificates Note that some protocol implementations
but are not limited to: - For the protocol in use to only support secure (such as SSL, SSH v1.0, and early TLS) have
- The Internet versions and configurations (that insecure known vulnerabilities that an attacker can
- Wireless technologies, including 802.11 and versions or configurations are not supported) use to gain control of the affected system.
Bluetooth - For implementation of proper encryption Whichever security protocol is used, ensure
- Cellular technologies, for example, Global System strength per the encryption methodology in it is configured to use only secure versions
for Mobile communications (GSM), Code division use and configurations to prevent
multiple access (CDMA) use of an insecure connection—for example,
- General Packet Radio Service (GPRS) by using only trusted certificates and
- Satellite communications supporting only strong encryption (not
supporting weaker, insecure protocols or
methods).
4.1.c Select and observe a sample of inbound Verifying that certificates are trusted (for
and outbound transmissions as they occur to example, have not expired and are issued
verify that all cardholder data is encrypted from a trusted source) helps ensure the
with strong cryptography during transit. integrity of the secure connection.
4.1.d Examine keys and certificates to verify Generally, the web page URL should begin
that only trusted keys and/or certificates arewith "HTTPS" and/or the web browser
accepted. display a padlock icon somewhere in the
window of the browser. Many TLS certificate
4.1.e Examine system configurations to verify vendors also provide a highly visible
that the protocol is implemented to use only verification seal—sometimes referred to as a
secure configurations and does not support “security seal,” "secure site seal," or “secure
insecure versions or configurations. trust seal”)—which may provide the ability
to click on the seal to
4.1.f Examine system configurations to verify reveal information about the website.
that the proper encryption strength is Refer to industry standards and best
implemented for the encryption methodology practices for information on strong
in use. (Check vendor recommendations/best cryptography and secure protocols (e.g.,
practices.) NIST SP 800-52 and SP 800-57, OWASP, etc.)
4.1.g For TLS implementations, examine

system configurations to verify that TLS is
enabled whenever cardholder data is
transmitted or received.
For example, for browser-based
implementations:
• “HTTPS” appears as the browser Universal
Record Locator (URL) protocol; and
• Cardholder data is only requested if “HTTPS”
appears as part of the URL.
4.1.1 Ensure wireless networks transmitting 4.1.1 Identify all wireless networks transmitting Malicious users use free and widely available Not applicable Not applicable Customers are responsible for ensuring
cardholder data or connected to the cardholder cardholder data or connected to the tools to eavesdrop on wireless strong cryptography and secure protocols
data environment, use industry best practices (for cardholder data environment. Examine communications. Use of strong cryptography in any wireless environment located on-
example, IEEE 802.11i) to implement strong documented standards and compare to system can help limit disclosure of sensitive premise, outside the Azure boundary
encryption for authentication and transmission. configuration settings to verify the following information across wireless networks.
for all wireless networks identified: Strong cryptography for authentication and
- Industry best practices (for example, IEEE transmission of cardholder data is required
802.11i) are used to implement strong to prevent malicious users from gaining
encryption for authentication and access to the wireless network or utilizing
transmission. wireless networks to access other internal
- Weak encryption (for example, WEP, SSL) is networks or data.
not used as a security control for
authentication or transmission.
4.2 Never send unprotected PANs by end-user 4.2.a If end-user messaging technologies are E-mail, instant messaging, SMS, and chat can Not applicable Customers are responsible for securing PAN Customers are responsible for securing PAN
messaging technologies (for example, e-mail, used to send cardholder data, observe be easily intercepted by packet-sniffing transmissions. transmissions.
instant messaging, SMS, chat, etc.). processes for sending PAN and examine a during delivery across internal and public
sample of outbound transmissions as they networks. Do not utilize these messaging
occur to verify that PAN is rendered tools to send PAN unless they are configured
unreadable or secured with strong to provide strong encryption.
cryptography whenever it is sent via end-user Additionally, if an entity requests PAN via
messaging technologies. end-user messaging technologies, the entity
should provide a tool or method to protect
these PANs using strong cryptography or
4.2.b Review written policies to verify the render PANs unreadable before
existence of a policy stating that unprotected transmission.
PANs are not to be sent via end-user
messaging technologies.
4.3 Ensure that security policies and operational 4.3 Examine documentation interview Personnel need to be aware of and following Not applicable Customers are responsible for documenting Customers are responsible for documenting
procedures for encrypting transmissions of personnel to verify that security policies and security policies and operational procedures and encrypting transmissionsm containing and encrypting transmissionsm containing
cardholder data are documented, in use, and operational procedures for encrypting for managing the secure transmission of cardholder data. cardholder data.
known to all affected parties. transmissions of cardholder data are: cardholder data on a continuous basis.
- Documented,
- In use, and
Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs
Malicious software, commonly referred to as “malware”—including viruses, worms, and Trojans—enters the network during many business-approved activities including employee e-mail and use of the Internet, mobile computers, and storage devices, resulting in the exploitation of system vulnerabilities. Anti-virus software must be used on all systems
commonly affected by malware to protect systems from current and evolving malicious software threats. Additional anti-malware solutions may be considered as a supplement to the anti-virus software; however, such additional solutions do not replace the need for anti-virus software to be in place.

5.1 Deploy anti-virus software on all systems 5.1 For a sample of system components There is a constant stream of attacks using Microsoft Azure manages anti-malware for Not applicable Customers are responsible for ensuring
commonly affected by malicious software including all operating system types commonly widely published exploits, often called "zero PaaS services. anti-malware software is deployed on all
(particularly personal computers and servers). affected by malicious software, verify that anti- day" (an attack that exploits a previously systems in the CDE commonly affected by
virus software is deployed if applicable anti- unknown vulnerability), against otherwise malicious software.
virus technology exists. secured systems. Without an anti-virus
solution that is updated regularly, these new Customers may enable Azure Antimalware
forms of malicious software can attack to leverage Azure's anti-malware
systems, disable a network, or lead to protections. Customers are still responsibe
compromise of data. for configuration options under their
control.
5.1.1 Ensure that anti-virus programs are capable 5.1.1 Review vendor documentation and It is important to protect against ALL types Microsoft Azure manages anti-malware for Not applicable Customers are responsible for evaluating,
of detecting, removing, and protecting against all examine anti-virus configurations to verify that and forms of malicious software. PaaS services, and offers Azure selecting, deploying, and reviewing
known types of malicious software. anti-virus programs; Antimalware for IaaS instances. effectiveness of anti-malware software on
- Detect all known types of malicious software, all VMs that store, process or transmit CHD.
- Remove all known types of malicious
software, and
- Protect against all known types of malicious Customers may enable Azure Antimalware
software. to leverage Azure's anti-malware
protections. Customers are still responsibe
Examples of types of malicious software for configuration options under their
include viruses, Trojans, worms, spyware, control.
adware, and rootkits.
5.1.2 For systems considered to be not commonly 5.1.2 Interview personnel to verify that Typically, mainframes, mid-range computers Microsoft Azure manages anti-malware for Not applicable Customers are responsible for making the
affected by malicious software, perform periodic evolving malware threats are monitored and (such as AS/400) and similar systems may not PaaS services, and offers Azure determination as to whether certain Linux
evaluations to identify and evaluate evolving evaluated for systems not currently considered currently be commonly targeted or affected Antimalware for IaaS instances. or Mac OS distributions are not commonly
malware threats in order to confirm whether such to be commonly affected by malicious by malware. However, industry trends for affected by malicious software.
systems continue to not require anti-virus software, in order to confirm whether such malicious software can change quickly, so it
software. systems continue to not require anti-virus is important for organizations to be aware of Customers may enable Azure Antimalware
software. new malware that might affect their systems to leverage Azure's anti-malware
—for example, by monitoring vendor security protections. Customers are still responsibe
notices and anti-virus news groups to for configuration options under their
determine whether their systems might be control.
coming under threat from new and evolving
malware.
Trends in malicious software should be
included in the identification of new security
vulnerabilities, and methods to address new
trends should be incorporated into the
company's configuration standards and
protection mechanisms as needed
5.2 Ensure that all anti-virus mechanisms are 5.2.a Examine policies and procedures to verify Even the best anti-virus solutions are limited Microsoft Azure manages anti-malware for Not applicable Customers are responsible for ensuring
maintained as follows: that anti-virus software and definitions are in effectiveness if they are not maintained PaaS services, and offers Azure their anti-malware software deployed on
- Are kept current, required to be kept up to date. and kept current with the latest security Antimalware for IaaS instances. their in-scope IaaS instances is kept current
- Perform periodic scans updates, signature files, or malware and regularly updated, performing
- Generate audit logs which are retained per PCI 5.2.b Examine anti-virus configurations, protections. regularly scheduled scans, and generating
DSS Requirement 10.7. including the master installation of the Audit logs provide the ability to monitor virus audit logs.
software to verify anti-virus mechanisms are: and malware activity and anti-malware
- Configured to perform automatic updates, reactions. Customers may enable Azure Antimalware
and Thus, it is imperative that anti-malware to leverage Azure's anti-malware
- Configured to perform periodic scans. solutions be configured to generate audit protections. Customers are still responsibe
logs and that these logs be managed in for configuration options under their
accordance with Requirement 10. control.
5.2.c Examine a sample of system components,
including all operating system types commonly
affected by malicious software, to verify that:
- The anti-virus software and definitions are
current.
- Periodic scans are performed.
5.2.d Examine anti-virus configurations,

including the master installation of the
software and a sample of system components,
to verify that:
- Anti-virus software log generation is enabled,
and
- Logs are retained in accordance with PCI DSS
Requirement 10.7.
5.3 Ensure that anti-virus mechanisms are actively 5.3.a Examine anti-virus configurations, Anti-virus that continually runs and is unable Microsoft Azure manages anti-malware for Not applicable Customers are responsible for ensuring
running and cannot be disabled or altered by including the master installation of the to be altered will provide persistent security PaaS services, and offers Azure their anti-malware software may not be
users, unless specifically authorized by software and a sample of system components, against malware. Antimalware for IaaS instances. disabled by end-users.
management on a case-by-case basis for a limited to verify the anti-virus software is actively Use of policy-based controls on all systems to
time period. running. ensure anti-malware protections cannot be Customers may enable Azure Antimalware
altered or disabled will help prevent system to leverage Azure's anti-malware
Note: Anti-virus solutions may be temporarily weaknesses from being exploited by protections. Customers are still responsibe
disabled only if there is legitimate technical need, malicious software. for configuration options under their
as authorized by management on a case-by-case Additional security measures may also need control.
basis. If anti-virus protection needs to be disabled to be implemented for the period of time
for a specific purpose, it must be formally during which anti-virus protection is not
authorized. Additional security measures may also active—for example, disconnecting the
need to be implemented for the period of time unprotected system from the Internet while
during which anti-virus protection is not active. the anti-virus protection is disabled, and
running a full scan after it is re-enabled.
5.3 Ensure that anti-virus mechanisms are actively Anti-virus that continually runs and is unable Microsoft Azure manages anti-malware for Not applicable Customers are responsible for ensuring
running and cannot be disabled or altered by to be altered will provide persistent security PaaS services, and offers Azure their anti-malware software may not be
users, unless specifically authorized by against malware. Antimalware for IaaS instances. disabled by end-users.
management on a case-by-case basis for a limited Use of policy-based controls on all systems to
time period. ensure anti-malware protections cannot be Customers may enable Azure Antimalware
altered or disabled will help prevent system to leverage Azure's anti-malware
Note: Anti-virus solutions may be temporarily 5.3.b Examine anti-virus configurations, weaknesses from being exploited by protections. Customers are still responsibe
disabled only if there is legitimate technical need, including the master installation of the malicious software. for configuration options under their
as authorized by management on a case-by-case software and a sample of system components, Additional security measures may also need control.
basis. If anti-virus protection needs to be disabled to verify that the anti-virus software cannot be to be implemented for the period of time
for a specific purpose, it must be formally disabled or altered by users. during which anti-virus protection is not
authorized. Additional security measures may also active—for example, disconnecting the
need to be implemented for the period of time unprotected system from the Internet while
during which anti-virus protection is not active. 5.3.c Interview responsible personnel and the anti-virus protection is disabled, and
observe processes to verify that anti-virus running a full scan after it is re-enabled.
software cannot be disabled or altered by
users, unless specifically authorized by
management on a case-by-case basis for a
limited time period.
5.4 Ensure that security policies and operational 5.4 Examine documentation and interview Personnel need to be aware of and following Microsoft Azure manages anti-malware for Not applicable Customers are responsible for creating and
procedures for protecting systems against personnel to verify that security policies and security policies and operational procedures PaaS services, and offers Azure maintaining policies for protecting systems
malware are documented, in use, and known to all operational procedures for protecting systems to ensure systems are protected from Antimalware for IaaS instances. within their CDE against malware.
affected parties. against malware are: malware on a continuous basis.
- Documented,
- In use, and
Requirement 6: Develop and maintain secure systems and applications
Unscrupulous individuals use security vulnerabilities to gain privileged access to systems. Many of these vulnerabilities are fixed by vendor-provided security patches, which must be installed by the entities that manage the systems. All systems must have all appropriate software patches to protect against the exploitation and compromise of cardholder
data by malicious individuals and malicious software. Note: Appropriate software patches are those patches that have been evaluated and tested sufficiently to determine that the patches do not conflict with existing security configurations. For in-house developed applications, numerous vulnerabilities can be avoided by using standard system
development processes and secure coding techniques.

6.1 Establish a process to identify security 6.1.a Examine policies and procedures to verify The intent of this requirement is that Procedures have been established and Customers are responsible for designing, Customers are responsible for designing,
vulnerabilities, using reputable outside sources for that processes are defined for the following: organizations keep up to date with new implemented to scan for vulnerabilities on maintaining, and implementing a process maintaining, and implementing a process
security vulnerability information, and assign a risk - To identify new security vulnerabilities vulnerabilities that may impact their hypervisor hosts in the scope boundary. for identifying security vulnerabilities and for identifying security vulnerabilities and
ranking (for example, as “high,” “medium,” or - To assign a risk ranking to vulnerabilities that environment. Vulnerability scanning is performed on assigning appropriate risk rankings. assigning appropriate risk rankings.
“low”) to newly discovered security vulnerabilities. includes identification of all “high risk” and server operating systems, databases, and
“critical” vulnerabilities. Sources for vulnerability information should network devices with the appropriate
Note: Risk rankings should be based on industry - To use reputable outside sources for security be trustworthy and often include vendor vulnerability scanning tools. The
best practices as well as consideration of potential vulnerability information. websites, industry news groups, mailing list, vulnerability scans are performed on a
impact. For example, criteria for ranking or RSS feeds. quarterly basis at minimum. Microsoft
vulnerabilities may include consideration of the Once an organization identifies a Azure contracts with independent
CVSS base score, and/or the classification by the 6.1.b Interview responsible personnel and vulnerability that could affect their assessors to perform penetration testing of
vendor, and/or type of systems affected. Methods observe processes to verify that: environment, the risk that the vulnerability the Microsoft Azure boundary. Red-Team
for evaluating vulnerabilities and assigning risk - New security vulnerabilities are identified. poses must be evaluated and ranked. The exercises are also routinely performed and
ratings will vary based on an organization’s - A risk ranking is assigned to vulnerabilities organization must therefore have a method results used to make security
environment and risk-assessment strategy. Risk that includes identification of all “high” risk in place to evaluate vulnerabilities on an improvements.
rankings should, at a minimum, identify all and “critical” vulnerabilities. ongoing basis and assign risk rankings to
vulnerabilities considered to be a “high risk” to the - Processes to identify new security those vulnerabilities. This is not achieved by
environment. In addition to the risk ranking, vulnerabilities include using reputable outside an ASV scan or internal vulnerability scan,
vulnerabilities may be considered “critical” if they sources for security vulnerability information. rather this requires a process to actively
pose an imminent threat to the environment, monitor industry sources for vulnerability
impact critical systems, and/or would result in a information.
potential compromise if not addressed. Examples
of critical systems may include security systems, Classifying the risks (for example, as “high,”
public-facing devices and systems, databases, and “medium,” or “low”) allows organizations to
other systems that store, process, or transmit identify, prioritize, and address the highest
cardholder data. risk items more quickly and reduce the
likelihood that vulnerabilities posing the
greatest risk will be exploited.
6.2 Ensure that all system components and 6.2.a Examine policies and procedures related There is a constant stream of attacks using Microsoft Azure is responsible for ensuring Not applicable Customers are responsible for ensuring all
software are protected from known vulnerabilities to security-patch installation to verify widely published exploits, often called "zero all network devices and hypervisor OS IaaS instances are protected from known
by installing applicable vendor-supplied security processes are defined for: day" (an attack that exploits a previously software is protected from known vulnerabilities by installing applicable
patches. Install critical security patches within one- Installation of applicable critical vendor- unknown vulnerability), against otherwise vulnerabilities by installing applicable vendor-supplied security patches.
month of release. supplied security patches within one month of secured systems. If the most recent patches vendor-supplied security patches. Unless a
release. are not implemented on critical systems as customer requests to not use the service, a
Note: Critical security patches should be identified - Installation of all applicable vendor-supplied soon as possible, a malicious individual can patch management process exists to
according to the risk ranking process defined in security patches within an appropriate time use these exploits to attack or disable a ensure that operating system level
Requirement 6.1. frame (for example, within three months). system, or gain access to sensitive data. vulnerabilities are prevented and
Prioritizing patches for critical infrastructure remediated in a timely manner. Production
ensures that high-priority systems and Servers are scanned to validate patch
devices are protected from vulnerabilities as compliance on a monthly basis.
soon as possible after a patch is released.
Consider prioritizing patch installations such
6.2.b For a sample of system components and that security patches for critical or at-risk
related software, compare the list of security systems are installed within 30 days, and
patches installed on each system to the most other lower-risk patches are installed within
recent vendor security-patch list, to verify the 2-3 months.
following: This requirement applies to applicable
- That applicable critical vendor-supplied patches for all installed software, including
security patches are installed within one payment applications (both those that are
month of release. PA-DSS validated and thosethat are not).
- All applicable vendor-supplied security
patches are installed within an appropriate
time frame (for example, within three
months).
6.3 Develop internal and external software 6.3.a Examine written software-development Without the inclusion of security during the Microsoft Azure applications and endpoints Customers are responsible for developing Customers are responsible for developing
applications (including web-based administrative processes to verify that the processes are requirements definition, design, analysis, and are developed in accordance with the and following a secure software and following a secure software
access to applications) securely, as follows: based on industry standards and/or best testing phases of software development, Microsoft Security Development Lifecycle development program for both classic and development program for both classic and
- In accordance with PCI DSS (for example, secure practices. security vulnerabilities can be inadvertently (SDL) methodology which is inline with DSS cloud based applications. Industry cloud based applications. Industry
authentication and logging) or maliciously introduced into the production requirements. standards, such as OWASP, should be standards, such as OWASP, should be
- Based on industry standards and/or best 6.3.b Examine written software-development environment. incorporated into the program. incorporated into the program.
practices. processes to verify that information security is Understanding how sensitive data is handled
- Incorporating information security throughout included throughout the life cycle. by the application—including when stored,
the software-development life cycle Note: this transmitted, and when in memory—can help
applies to all software developed internally as well 6.3.c Examine written software-development identify where data needs to be protected.
as bespoke or custom software developed by a processes to verify that software applications
third party. are developed in accordance with PCI DSS.
6.3.d Interview software developers to verify
that written software-development processes
are implemented.
6.3.1 Remove development, test and/or custom 6.3.1 Examine written software-development Development, test and/or custom application A Final Security Review (FSR) is performed Customers are responsible for ensuring all Customers are responsible for ensuring all
application accounts, user IDs, and passwords procedures and interview responsible accounts, user IDs, and passwords should be for major releases prior to production development and test accounts and development and test accounts and
before applications become active or are released personnel to verify that pre-production and/or removed from production code before the deployment by a designated Security passwords are removed from their servers passwords are removed from their servers
to customers. custom application accounts, user IDs and/or application becomes active or is released to Advisor outside of the Azure development and applications before promoting changes and applications before promoting changes
passwords are removed before an application customers, since these items may give away team to ensure only applications ready for to production. to production.
goes into production or is released to information about the functioning of the production are released. As part of this
customers. application. Possession of such information final review it is ensured that all test
could facilitate compromise of the accounts and test data have been
application and related cardholder data. removed.
6.3.2 Review custom code prior to release to 6.3.2.a Examine written software-development Security vulnerabilities in custom code are Microsoft Azure applications and endpoints Customers are responsible for having a Customers are responsible for having a
production or customers in order to identify any procedures and interview responsible commonly exploited by malicious individuals are developed in accordance with the documented, approved and in-place SDLC documented, approved and in-place SDLC
potential coding vulnerability (using either manual personnel to verify that all custom application to gain access to a network and compromise Microsoft Security Development Lifecycle program that incorporates code review program that incorporates code review
or automated processes) to include at least the code changes must be reviewed (using either cardholder data. (SDL) methodology. prior to release. The program should be prior to release. The program should be
following: manual or automated processes) as follows: aligned with industry standards and should aligned with industry standards and should
- Code changes are reviewed by individuals other - Code changes are reviewed by individuals An individual knowledgeable and also incorporate independent third party also incorporate independent third party
than the originating code author, and by other than the originating code author, and by experienced in code-review techniques application review. application review.
individuals knowledgeable about code-review individuals who are knowledgeable in code- should be involved in the review process.
techniques and secure coding practices. review techniques and secure coding Code reviews should be performed by
- Code reviews ensure code is developed practices. someone other than the developer of the
according to secure coding guidelines - Code reviews ensure code is developed code to allow for an independent, objective
- Appropriate corrections are implemented prior according to secure coding guidelines (see PCI review. Automated tools or processes may
to release. DSS Requirement 6.5). also be used in lieu of manual reviews, but
- Code-review results are reviewed and approved - Appropriate corrections are implemented keep in mind that it may be difficult or even
by management prior to release. prior to release. impossible for an automated tool to identify
- Code-review results are reviewed and some coding issues.
Note: This requirement for code reviews applies to approved by management prior to release.
all custom code (both internal and public-facing), Correcting coding errors before the code is
as part of the system development life cycle. Code deployed into a production environment or
reviews can be conducted by knowledgeable released to customers prevents the code
internal personnel or third parties. Public-facing exposing the environments to potential
web applications are also subject to additional 6.3.2.b Select a sample of recent custom exploit. Faulty code is also far more difficult
controls, to address ongoing threats and application changes and verify that custom and expensive to address after it has been
vulnerabilities after implementation, as defined at application code is reviewed according to deployed or released into production
PCI DSS Requirement 6.6. 6.3.2.a, above. environments.
Including a formal review and signoff by

management prior to release helps to ensure
that code is approved and has been
developed in accordance with policies and
procedures.
6.4 Follow change control processes and 6.4 Examine policies and procedures to verify Without properly documented and Microsoft follows NIST guidance regarding Customers are responsible for creating and Customers are responsible for creating and
procedures for all changes to system components. the following are defined: implemented change controls, security security considerations in software maintaining their own change control maintaining their own change control
The processes must include the following: - Development/test environments are features could be inadvertently or development in that information security processes and procedures for all changes to processes and procedures for all changes to
separate from production environments with deliberately omitted or rendered inoperable, must be integrated into the SDLC from their in-scope Azure components. their in-scope Azure components.
access control in place to enforce separation. processing irregularities could occur, or system inception. Continual integration of
- A separation of duties between personnel malicious code could be introduced. security practices in the Microsoft SDL
assigned to the development/test enables early identification and mitigation
environments and those assigned to the of security vulnerabilities and
production environment. misconfigurations; awareness of potential
- Production data (live PANs) are not used for software coding challenges caused by
testing or development. required security controls; identification of
- Test data and accounts are removed before a shared security services and reuse of
production system becomes active. security best practices tools which
- Change control procedures related to improving security posture through proven
implementing security patches and software methods and techniques; and enforces
modifications are documented. Microsoft's already comprehensive risk
management program.
Microsoft Azure has established change

and release management processes to
control implementation of major changes
6.4.1 Separate development/test environments 6.4.1.a Examine network documentation and Due to the constantly changing state of including: Customers are responsible for maintaining Customers are responsible for maintaining
from production environments, and enforce the network device configurations to verify that development and test environments, they • The identification and documentation of segregation and access controls between segregation and access controls between
separation with access controls. the development/test environments are tend to be less secure than the production the planned change and test, development, production and and test, development, production and
separate from the production environment(s). environment. Without adequate separation • Identification of business goals, priorities Cardholder Data Environments (CDE). This Cardholder Data Environments (CDE). This
between environments, it may be possible and scenarios during product planning includes ensuring Iaas instances are includes ensuring Iaas instances are
for the production environment, and • Specification of feature/component created and deployed on appropriate created and deployed on appropriate
cardholder data, to be compromised due to design virtual networks. virtual networks.
6.4.1.b Examine access controls settings to less-stringent security configurations and
verify that access controls are in place to • Operational readiness review based on a
possible vulnerabilities in a test or pre-defined criteria/check-list to assess
enforce separation between the development environment.
development/test environments and the overall risk/impact
production environment(s). • Testing, authorization and change
management based on entry/exit criteria
for DEV (development), INT (Integration
Testing), STAGE (Pre-production) and PROD
(production) environments as appropriate.
6.4.2 Separation of duties between 6.4.2 Observe processes and interview Reducing the number of personnel with Customers are responsible for their own
development/test and production environments personnel assigned to development/test access to the production environment and applications hosted in Microsoft Azure.
environments and personnel assigned to cardholder data minimizes risk and helps
production environments to verify that ensure that access is limited to those
separation of duties is in place between individuals with a business need to know.
development/test environments and the The intent of this requirement is to separate
production environment. development and test functions from
production functions. For example, a
developer may use an administrator-level
account with elevated privileges in the
development environment, and have a
separate account with user-level access to
the production environment.
6.4.3 Production data (live PANs) are not used for 6.4.3.a Observe testing processes and Security controls are usually not as stringent Customers are responsible for maintaining Customers are responsible for maintaining
testing or development interview personnel to verify procedures are in in test or development environments. Use of production data (live PANs) are not used production data (live PANs) are not used
place to ensure production data (live PANs) are production data provides malicious for testing or development. for testing or development.
not used for testing or development. individuals with the opportunity to gain
unauthorized access to production data
6.4.3.b Examine a sample of test data to verify (cardholder data).
production data (live PANs) is not used for
testing or development.
6.4.4 Removal of test data and accounts from 6.4.4.a Observe testing processes and Test data and accounts should be removed Customers are responsible for removal of Customers are responsible for removal of
system components before the system becomes interview personnel to verify test data and from production code before the application test data and accounts before promoting test data and accounts before promoting
active / goes into production. accounts are removed before a production becomes active, since these items may give changes to production. changes to production.
system becomes active. away information about the functioning of
the application or system. Possession of such
6.4.4.b Examine a sample of data and accounts information could facilitate compromise of
from production systems recently installed or the system and related cardholder data.
updated to verify test data and accounts are
removed before the system becomes active.
6.4.5 Change control procedures for the 6.4.5.a Examine documented change control If not properly managed, the impact of Customers are responsible for creating and Customers are responsible for creating and
implementation of security patches and software procedures related to implementing security software updates and security patches might maintaining their own change control maintaining their own change control
modifications must include the following: patches and software modifications and verify not be fully realized and could have processes and procedures for all changes to processes and procedures for all changes to
procedures are defined for: unintended consequences. their in-scope Azure components. their in-scope Azure components.
- Documentation of impact
- Documented change approval by authorized
parties
- Functionality testing to verify that the change
does not adversely impact the security of the
system
- Back-out procedures
6.4.5 Change control procedures for the If not properly managed, the impact of Customers are responsible for creating and Customers are responsible for creating and
implementation of security patches and software software updates and security patches might maintaining their own change control maintaining their own change control
modifications must include the following: not be fully realized and could have processes and procedures for all changes to processes and procedures for all changes to
unintended consequences. their in-scope Azure components. their in-scope Azure components.
6.4.5.b For a sample of system components,

interview responsible personnel to determine
recent changes/security patches. Trace those
changes back to related change control
documentation. For each change examined,
perform the following:
6.4.5.1 Documentation of impact. 6.4.5.1 Verify that documentation of impact is The impact of the change should be
included in the change control documentation documented so that all affected parties can
for each sampled change. plan appropriately for any processing
changes.
6.4.5.2 Documented change approval by 6.4.5.2 Verify that documented approval by Approval by authorized parties indicates that
authorized parties. authorized parties is present for each sampled the change is a legitimate and approved
change. change sanctioned by the organization.
6.4.5.3 Functionality testing to verify that the 6.4.5.3.a For each sampled change, verify that Thorough testing should be performed to
change does not adversely impact the security of functionality testing is performed to verify that verify that the security of the environment is
the system. the change does not adversely impact the not reduced by implementing a change.
security of the system. Testing should validate that all existing
security controls remain in place, are
replaced with equally strong controls, or are
6.4.5.3.b For custom code changes, verify that strengthened after any change to the
all updates are tested for compliance with PCI environment.
DSS Requirement 6.5 before being deployed
into production.
6.4.5.4 Back-out procedures. 6.4.5.4 Verify that back-out procedures are For each change, there should be
prepared for each sampled change. documented back-out procedures in case the
change fails or adversely affects the security
of an application or system, to allow the
system to be restored back to its previous
state.
6.4.6 Upon completion of a significant change, all 6.4.6 For a sample of significant changes, Having processes to analyze significant
relevant PCI DSS requirements must be examine change records, interview personnel, changes helps ensure that all appropriate PCI
implemented on all new or changed systems and and observe the affected systems/networks to DSS controls are applied to any systems or
networks, and documentation updated as verify that applicable PCI DSS requirements networks added or changed within the in-
applicable. were implemented and documentation scope environment.
updated as part of the change. Building this validation into change
management processes helps ensure that
device inventories and configuration
standards are kept up to date and security
controls are applied where needed.
A change management process should
include supporting evidence that PCI DSS
requirements are implemented or preserved
through the iterative process. Examples of
PCI DSS requirements that
could be impacted include, but are not
limited to:
- Network diagram is updated to reflect
changes.
- Systems are configured per configuration
standards, with all default passwords
changed and unnecessary services disabled.
- Systems are protected with required
controls—e.g., file-integrity monitoring (FIM),
anti-virus, patches, audit logging.
-Sensitive authentication data (SAD) is not
stored and all cardholder data (CHD) storage
is documented and incorporated into data-
retention policy and procedures
- New systems are included in the quarterly
vulnerability scanning process.
6.5 Address common coding vulnerabilities in 6.5.a Examine software-development policies The application layer is high-risk and may be Customers are responsible for protecting Customers are responsible for protecting
software-development processes as follows: and procedures to verify that training in secure targeted by both internal and external against common coding vulnerabilities, against common coding vulnerabilities,
- Train developers at least annually in up-to-date coding techniques is required for developers, threats. training developers in secure coding training developers in secure coding
secure coding techniques, including how to avoid based on industry best practices and guidance. Requirements 6.5.1 through 6.5.10 are the techniques, and understanding how to techniques, and understanding how to
common coding vulnerabilities. minimum controls that should be in place, properly handle data in memory. properly handle data in memory.
- Develop applications based on secure coding and organizations should incorporate the
guidelines. relevant secure coding practices as
6.5.b Examine records of training to verify that applicable to the particular technology in
Note: The vulnerabilities listed at 6.5.1 through software developers receive up-to-date their environment.
6.5.10 were current with industry best practices training on secure coding techniques at least Application developers should be properly
when this version of PCI DSS was published. annually, including how to avoid common trained to identify and resolve issues related
However, as industry best practices for coding vulnerabilities. to these (and other) common coding
vulnerability management are updated (for vulnerabilities. Having staff knowledgeable of
example, the OWASP Guide, SANS CWE Top 25, secure coding guidelines should minimize the
CERT Secure Coding, etc.), the current best 6.5.c Verify that processes are in place to number of security vulnerabilities introduced
practices must be used for these requirements. protect applications from, at a minimum, the through poor coding practices. Training for
following vulnerabilities: developers may be provided in-house or by
third parties and should be applicable for
technology used.
As industry-accepted secure coding practices
change, organizational coding practices and
developer training should likewise be
updated to address new threats—for
example, memory scraping attacks.
The vulnerabilities identified in 6.5.1 through
6.5.10 provide a minimum baseline. It is up
to the organization to remain up to date with
vulnerability trends and incorporate
appropriate measures into their secure
coding practices.
6.5.1 Injection flaws, particularly SQL injection. 6.5.1 Examine software-development policies Injection flaws, particularly SQL injection, are
Also consider OS Command Injection, LDAP and and procedures and interview responsible a commonly used method for compromising
XPath injection flaws as well as other injection personnel to verify that injection flaws are applications. Injection occurs when user-
flaws. addressed by coding techniques that include: supplied data is sent to an interpreter as part
- Validating input to verify user data cannot of a command or query. The attacker's
modify meaning of commands and queries. hostile data tricks the interpreter into
- Utilizing parameterized queries. executing unintended commands or
changing data, and allows the attacker to
attack components inside the network
through the application, to initiate attacks
such as buffer overflows, or to reveal both
confidential information and server
application functionality.
Information should be validated before being
sent to the application—for example, by
checking for all alpha characters, mix of
alpha and numeric characters, etc.
6.5.2 Buffer overflows 6.5.2 Examine software-development policies Buffer overflows occur when an application
and procedures and interview responsible does not have appropriate bounds checking
personnel to verify that buffer overflows are on its buffer space. This can cause the
addressed by coding techniques that include: information in the buffer to be pushed out of
- Validating buffer boundaries. the buffer’s memory space and into
- Truncating input strings. executable memory space. When this occurs,
the attacker has the ability to insert malicious
code at the end of the buffer and then push
that malicious code into executable memory
space by overflowing the buffer. The
malicious code is then executed and often
enables the attacker remote access to the
application and/or infected system.
6.5.3 Insecure cryptographic storage 6.5.3 Examine software-development policies Applications that do not utilize strong
and procedures and interview responsible cryptographic functions properly to store
personnel to verify that insecure cryptographic data are at increased risk of being
storage is addressed by coding techniques compromised, and exposing authentication
that: credentials and/or cardholder data. If an
- Prevent cryptographic flaws. attacker is able to exploit weak cryptographic
- Use strong cryptographic algorithms and processes, they may be able to gain clear-
keys. text access to encrypted data.
6.5.4 Insecure communications 6.5.4 Examine software-development policies Applications that fail to adequately encrypt
and procedures and interview responsible network traffic using strong cryptography are
personnel to verify that insecure at increased risk of being compromised and
communications are addressed by coding exposing cardholder data. If an attacker is
techniques that properly authenticate and able to exploit weak cryptographic processes,
encrypt all sensitive communications. they may be able to gain control of an
application or even gain clear-text access to
encrypted data.
6.5.5 Improper error handling 6.5.5 Examine software-development policies Applications can unintentionally leak
and procedures and interview responsible information about their configuration or
personnel to verify that improper error internal workings, or expose privileged
handling is addressed by coding techniques information through improper error handling
that do not leak information via error methods. Attackers use this weakness to
messages (for example, by returning generic steal sensitive data or compromise the
rather than specific error details. system altogether. If a malicious individual
can create errors that the application does
not handle properly, they can gain detailed
system information, create denial-of-service
interruptions, cause security to fail, or crash
the server. For example, the message
"incorrect password provided" tells an
attacker the user ID provided was accurate
and that they should focus their efforts only
on the password. Use more generic error
messages, like "data could not be verified."
6.5.6 All “high risk” vulnerabilities identified in the 6.5.6 Examine software-development policies All vulnerabilities identified by an
vulnerability identification process (as defined in and procedures and interview responsible organization’s vulnerability risk-ranking
PCI DSS Requirement 6.1). personnel to verify that coding techniques process (defined in Requirement 6.1) to be
address any “high risk” vulnerabilities that “high risk” and that could affect the
could affect the application, as identified in PCI application should be identified and
DSS Requirement 6.1. addressed during application development.
Note: Requirements 6.5.7 through 6.5.10, below, apply to web applications and application Web applications, both internally and
interfaces (internal or external): externally (public) facing, have unique
security risks based upon their architecture
as well as the relative ease and occurrence of
compromise.
6.5.7 Cross-site scripting (XSS) 6.5.7 Examine software-development policies XSS flaws occur whenever an application
and procedures and interview responsible takes user-supplied data and sends it to a
personnel to verify that cross-site scripting web browser without first validating or
(XSS) is addressed by coding techniques that encoding that content. XSS allows attackers
include to execute script in the victim's browser,
- Validating all parameters before inclusion which can hijack user sessions, deface web
- Utilizing context-sensitive escaping. sites, possibly introduce worms, etc.
6.5.8 Improper access control (such as insecure 6.5.8 Examine software-development policies A direct object reference occurs when a
direct object references, failure to restrict URL and procedures and interview responsible developer exposes a reference to an internal
access, directory traversal, and failure to restrict personnel to verify that improper access implementation object, such as a file,
user access to functions). control—such as insecure direct object directory, database record, or key, as a URL
references, failure to restrict URL access, and or form parameter. Attackers can manipulate
directory traversal—is addressed by coding those references to access other objects
technique that includes: without authorization.
- Proper authentication of users Consistently enforce access control in
- Sanitizing input presentation layer and business logic for all
- Not exposing internal object references to URLs. Frequently, the only way an application
users protects sensitive functionality is by
- User interfaces that do not permit access to preventing the display of links or URLs to
unauthorized functions. unauthorized users. Attackers can use this
weakness to access and perform
unauthorized operations by accessing those
URLs directly.
An attacker may be able to enumerate and
navigate the directory structure of a website
(directory traversal) thus gaining access to
unauthorized information as well as gaining
further insight into the workings of the site
for later exploitation.
If user interfaces permit access to
unauthorized functions, this access could
result in unauthorized individuals gaining
access to privileged credentials or cardholder
data. Only authorized users should be
permitted to access direct object references
to sensitive resources. Limiting access to data
resources will help prevent cardholder data
from being presented to unauthorized
resources.
6.5.9 Cross-site request forgery (CSRF) 6.5.9 Examine software development policies A CSRF attack forces a logged-on victim's
and procedures and interview responsible browser to send a pre-authenticated request
personnel to verify that cross-site request to a vulnerable web application, which then
forgery (CSRF) is addressed by coding enables the attacker to perform any state-
techniques that ensure applications do not rely changing operations the victim is authorized
on authorization credentials and tokens to perform (such as updating account details,
automatically submitted by browsers. making purchases, or even authenticating to
the application).
6.5.10 Broken authentication and session 6.5.10 Examine software development policies Secure authentication and session
management and procedures and interview responsible management prevents unauthorized
personnel to verify that broken authentication individuals from compromising legitimate
Note: Requirement 6.5.10 is a best practice until and session management are addressed via account credentials, keys, or session tokens
June 30, 2015, after which it becomes a coding techniques that commonly include: that would otherwise enable the intruder to
requirement. - Flagging session tokens (for example cookies) assume the identity of an authorized user.
as “secure”
- Not exposing session IDs in the URL
- Incorporating appropriate time-outs and
rotation of session IDs after a successful login.
6.6 For public-facing web applications, address 6.6 For public-facing web applications, ensure Public-facing web applications are primary Microsoft Azure tests public-facing web Customers are responsible for ensuring all Customers are responsible for ensuring all
new threats and vulnerabilities on an ongoing that either one of the following methods is in targets for attackers, and poorly coded web applications as part of its SDL process public-facing web applications undergo public-facing web applications undergo
basis and ensure these applications are protected place as follows: applications provide an easy path for before applications are deployed to the security assessments at least annually, or security assessments at least annually, or
against known attacks by either of the following * Examine documented processes, interview attackers to gain access to sensitive data and production environment. Additionally, when a major change has been made. when a major change has been made.
methods: personnel, and examine records of application systems. The requirement for reviewing Microsoft scans all public-facing web
- Reviewing public-facing web applications via security assessments to verify that public- applications or installing web-application applications in production on a regular
manual or automated application vulnerability facing web applications are reviewed—using firewalls is intended to reduce the number of basis to detect any possible vulnerabilities.
security assessment tools or methods, at least either manual or automated vulnerability compromises on public-facing web
annually and after any changes Note: This security assessment tools or methods—as applications due to poor coding or
assessment is not the same as the vulnerability follows: application management practices.
scans performed for Requirement 11.2. - At least annually * Manual or automated vulnerability security
-Installing an automated technical solution that - After any changes assessment tools or methods review and/or
detects and prevents web-based attacks (for - By an organization that specializes in test the application for vulnerabilities
example, a web-application firewall) in front of application security * Web-application firewalls filter and block
public-facing web applications, to continually - That, at a minimum, all vulnerabilities in non-essential traffic at the application layer.
check all traffic. Requirement 6.5 are included in the Used in conjunction with a network-based
assessment firewall, a properly configured web-
- That all vulnerabilities are corrected application firewall prevents application-
- That the application is re-evaluated after the layer attacks if applications are improperly
corrections. coded or configured. This can be achieved
* Examine the system configuration settings through a combination of technology and
and interview responsible personnel to verify process. Process-based solutions must have
that an automated technical solution that mechanisms that facilitate timely responses
detects and prevents web-based attacks (for to alerts in order to meet the intent of this
example, a web-application firewall) is in place requirement, which is to prevent attacks.
as follows: Note: “An organization that specializes in
- Is situated in front of public-facing web application security” can be either a third-
applications to detect and prevent web-based party company or an internal organization, as
attacks. long as the reviewers specialize in application
- Is actively running and up to date as security and can demonstrate independence
applicable. from the development team.
- Is generating audit logs.
- Is configured to either block web-based
attacks, or generate an alert that is
immediately investigated.
6.7 Ensure that security policies and operational 6.7 Examine documentation and interview Personnel need to be aware of and following Not applicable The Customer must ensure that security The Customer must ensure that security
procedures for developing and maintaining secure personnel to verify that security policies and security policies and operational procedures policies and operational procedures for policies and operational procedures for
systems and applications are documented, in use, operational procedures for developing and to ensure systems and applications are developing and maintaining secure systems developing and maintaining secure systems
and known to all affected parties. maintaining secure systems and applications securely developed and protected from and applications are documented, in use, and applications are documented, in use,
are: vulnerabilities on a continuous basis. and known to all affected parties. and known to all affected parties.
- Documented,
- In use, and
Requirement 7: Restrict access to cardholder data by business need to know
To ensure critical data can only be accessed by authorized personnel, systems and processes must be in place to limit access based on need to know and according to job responsibilities.
“Need to know” is when access rights are granted to only the least amount of data and privileges needed to perform a job.

7.1 Limit access to system components and 7.1 Examine written policy for access control, The more people who have access to Azure enforces existing ISMS policies Customers are responsible for limiting Customers are responsible for limiting
cardholder data to only those individuals whose and verify that the policy incorporates 7.1.1 cardholder data, the more risk there is that a regarding Azure personnel access to Azure access to system components and access to system components and
job requires such access. through 7.1.4 as follows: user’s account will be used maliciously. system components, verification of access cardholder data to only those individuals cardholder data to only those individuals
- Defining access needs and privilege Limiting access to those with a legitimate control effectiveness, providing Just-In- whose job requires such access. This whose job requires such access. This
assignments for each role business reason for the access helps an Time administrative access, revoking access includes limiting and restricting access to includes limiting and restricting access to
- Restriction of access to privileged user IDs to organization prevent mishandling of when no longer needed, and ensuring staff the Azure Management Portal as well as the Azure Management Portal as well as
least privileges necessary to perform job cardholder data through inexperience or accessing the Azure platform environment specifying accounts or roles with specifying accounts or roles with
responsibilities malice. have a business need. Azure access to permission to create, modify or delete PaaS permission to create, modify or delete
- Assignment of access based on individual customer environments is highly restricted services. VMs.
personnel’s job classification and function and only allowed with customer approval.
- Documented approval (electronically or in
writing) by authorized parties for all access, Procedures have been established to
including listing of specific privileges approved. restrict physical access to the data center
to authorized employees, vendors,
contractors, and visitors. Security
verification and check-in are required for
personnel requiring temporary access to
the interior data center facility. Physical
access logs are reviewed every quarter by
Azure teams.
7.1.1 Define access needs for each role, including: 7.1.1 Select a sample of roles and verify access In order to limit access to cardholder data to Not applicable Customers are responsible for defining and Customers are responsible for defining and
- System components and data resources that needs for each role are defined and include: only those individuals who need such access, documenting a User ID approval process, documenting a User ID approval process,
each role needs to access for their job function - System components and data resources that first it is necessary to define access needs for defining least privileges, restricting access defining least privileges, restricting access
- Level of privilege required (for example, user, each role needs to access for their job function each role (for example, system administrator, to cardholder data, using unique IDs, to cardholder data, using unique IDs,
administrator, etc.) for accessing resources. - Identification of privilege necessary for each call center personnel, store clerk), the providing separation of duties, and providing separation of duties, and
role to perform their job function. systems/devices/data each role needs access revoking user access when no longer revoking user access when no longer
to, and the level of privilege each role needs necessary. necessary.
to effectively perform assigned tasks. Once
roles and corresponding access needs are
defined, individuals can be granted access
accordingly.
7.1.2 Restrict access to privileged user IDs to least 7.1.2.a Interview personnel responsible for When assigning privileged IDs, it is important Microsoft Azure has adopted applicable It is the responsibility of the customer to It is the responsibility of the customer to
privileges necessary to perform job assigning access to verify that access to to assign individuals only the privileges they corporate and organizational security employ the concept of least privilege, using employ the concept of least privilege, using
responsibilities. privileged user IDs is: need to perform their job (the “least policies, including an Information Security role-based security groups within their role-based security groups within their
- Assigned only to roles that specifically require privileges”). For example, the database Policy. The policies have been approved, organization. organization.
such privileged access administrator or backup administrator should published and communicated to Windows
- Restricted to least privileges necessary to not be assigned the same privileges as the Azure. The Microsoft Azure Information
perform job responsibilities. overall systems administrator. Security Policy requires that access to
7.1.2.b Select a sample of user IDs with Microsoft Azure assets be granted based on
privileged access and interview responsible Assigning least privileges helps prevent users business justification, with the asset
management personnel to verify that without sufficient knowledge about the owner's authorization and based on "need-
privileges assigned are: application from incorrectly or accidentally to-know" and "least-privilege" principles.
- Necessary for that individual’s job function changing application configuration or altering The policy also addresses requirements for
- Restricted to least privileges necessary to its security settings. Enforcing least privilege access management lifecycle including
perform job responsibilities. also helps to minimize the scope of damage if access provisioning, access authorization,
an unauthorized person gains access to a authentication removal of access rights and
user ID. periodic access reviews.
7.1.3 Assign access based on individual 7.1.3 Select a sample of user IDs and interview Once needs are defined for user roles (per Not applicable Customers are responsible for defining and Customers are responsible for defining and
personnel’s job classification and function. responsible management personnel to verify PCI DSS requirement 7.1.1), it is easy to grant documenting a User ID approval process, documenting a User ID approval process,
that privileges assigned are based on that individuals access according to their job defining least privileges, restricting access defining least privileges, restricting access
individual’s job classification and function. classification and function by using the to cardholder data, using unique IDs, to cardholder data, using unique IDs,
already-created roles. providing separation of duties, and providing separation of duties, and
revoking user access when no longer revoking user access when no longer
necessary. necessary.
7.1.4 Require documented approval by authorized 7.1.4 Select a sample of user IDs and compare Documented approval (for example, in Not applicable Customers are responsible for defining and Customers are responsible for defining and
parties specifying required privileges. with documented approvals to verify that: writing or electronically) assures that those documenting a User ID approval process, documenting a User ID approval process,
- Documented approval exists for the assigned with access and privileges are known and defining least privileges, restricting access defining least privileges, restricting access
privileges authorized by management, and that their to cardholder data, using unique IDs, to cardholder data, using unique IDs,
- The approval was by authorized parties access is necessary for their job function. providing separation of duties, and providing separation of duties, and
- That specified privileges match the roles revoking user access when no longer revoking user access when no longer
assigned to the individual. necessary. necessary.
7.2 Establish an access control system for systems 7.2 Examine system settings and vendor Without a mechanism to restrict access Not applicable Customers are responsible for defining and Customers are responsible for defining and
components that restricts access based on a user’s documentation to verify that an access control based on user’s need to know, a user may documenting a User ID approval process, documenting a User ID approval process,
need to know, and is set to “deny all” unless system is implemented as follows: unknowingly be granted access to cardholder defining least privileges, restricting access defining least privileges, restricting access
specifically allowed. data. An access control system automates to cardholder data, using unique IDs, to cardholder data, using unique IDs,
This access control system must include the the process of restricting access and providing separation of duties, and providing separation of duties, and
following: assigning privileges. Additionally, a default revoking user access when no longer revoking user access when no longer
“deny-all” setting ensures no one is granted necessary. necessary.
access until and unless a rule is established
specifically granting such access.
Note: Some access control systems are set by

default to “allow-all,” thereby permitting
access unless/until a rule is written to
specifically deny it.
7.2.1 Coverage of all system components 7.2.1 Confirm that access control systems are Without a mechanism to restrict access Not applicable Customers are responsible for defining and Customers are responsible for defining and
in place on all system components. based on user’s need to know, a user may documenting a User ID approval process, documenting a User ID approval process,
unknowingly be granted access to cardholder defining least privileges, restricting access defining least privileges, restricting access
data. An access control system automates to cardholder data, using unique IDs, to cardholder data, using unique IDs,
the process of restricting access and providing separation of duties, and providing separation of duties, and
assigning privileges. Additionally, a default revoking user access when no longer revoking user access when no longer
“deny-all” setting ensures no one is granted necessary. necessary.
access until and unless a rule is established
7.2.2 Assignment of privileges to individuals based 7.2.2 Confirm that access control systems are specifically granting such access. Not applicable Customers are responsible for defining and Customers are responsible for defining and
on job classification and function. configured to enforce privileges assigned to documenting a User ID approval process, documenting a User ID approval process,
individuals based on job classification and Note: Some access control systems are set by defining least privileges, restricting access defining least privileges, restricting access
function. default to “allow-all,” thereby permitting to cardholder data, using unique IDs, to cardholder data, using unique IDs,
access unless/until a rule is written to providing separation of duties, and providing separation of duties, and
specifically deny it. revoking user access when no longer revoking user access when no longer
7.2.3 Default “deny-all” setting. 7.2.3 Confirm that the access control systems Not applicable Customers are responsible for defining and Customers are responsible for defining and
have a default “deny-all” setting. documenting a User ID approval process, documenting a User ID approval process,
defining least privileges, restricting access defining least privileges, restricting access
to cardholder data, using unique IDs, to cardholder data, using unique IDs,
providing separation of duties, and providing separation of duties, and
7.3 Ensure that security policies and operational 7.3 Examine documentation interview Personnel need to be aware of and following Not applicable Customers are responsible for defining and Customers are responsible for defining and
procedures for restricting access to cardholder personnel to verify that security policies and security policies and operational procedures documenting a User ID approval process, documenting a User ID approval process,
data are documented, in use, and known to all operational procedures for restricting access to to ensure that access is controlled and based defining least privileges, restricting access defining least privileges, restricting access
affected parties. cardholder data are: on need-to-know and least privilege, on a to cardholder data, using unique IDs, to cardholder data, using unique IDs,
- Documented, continuous basis. providing separation of duties, and providing separation of duties, and
- In use, and revoking user access when no longer revoking user access when no longer
- Known to all affected parties. necessary. necessary.
Requirement 8: Identify and authenticate access to system components
Assigning a unique identification (ID) to each person with access ensures that each individual is uniquely accountable for their actions. When such accountability is in place, actions taken on critical data and systems are performed by, and can be traced to, known and authorized users and processes.
The effectiveness of a password is largely determined by the design and implementation of the authentication system—particularly, how frequently password attempts can be made by an attacker, and the security methods to protect user passwords at the point of entry, during transmission, and while in storage. Note: These requirements are applicable
for all accounts, including point-of-sale accounts, with administrative capabilities and all accounts used to view or access cardholder data or to access systems with cardholder data. This includes accounts used by vendors and other third parties (for example, for support or maintenance). However, Requirements 8.1.1, 8.2, 8.5, 8.2.3 through 8.2.5, and 8.1.6
through 8.1.8 are not intended to apply to user accounts within a point-of-sale payment application that only have access to one card number at a time in order to facilitate a single transaction (such as cashier accounts).

8.1 Define and implement policies and procedures 8.1.a Review procedures and confirm they By ensuring each user is uniquely identified— Not applicable Customers are responsible for defining and Customers are responsible for defining and
to ensure proper user identification management define processes for each of the items below at instead of using one ID for several employees documenting a User ID approval process, documenting a User ID approval process,
for non-consumer users and administrators on all 8.1.1 through 8.1.8 —an organization can maintain individual defining least privileges, restricting access defining least privileges, restricting access
system components as follows: responsibility for actions and an effective to cardholder data, using unique IDs, to cardholder data, using unique IDs,
8.1.b Verify that procedures are implemented audit trail per employee. This will help speed providing separation of duties, and providing separation of duties, and
for user identification management, by issue resolution and containment when revoking user access when no longer revoking user access when no longer
performing the following: misuse or malicious intent occurs. necessary. necessary.
8.1.1 Assign all users a unique ID before allowing 8.1.1 Interview administrative personnel to Not applicable Customers are responsible for defining and Customers are responsible for defining and
them to access system components or cardholder confirm that all users are assigned a unique ID documenting a User ID approval process, documenting a User ID approval process,
data. for access to system components or cardholder defining least privileges, restricting access defining least privileges, restricting access
data. to cardholder data, using unique IDs, to cardholder data, using unique IDs,
providing separation of duties, and providing separation of duties, and
8.1.2 Control addition, deletion, and modification 8.1.2 For a sample of privileged user IDs and To ensure that user accounts granted access Not applicable Customers are responsible for defining and Customers are responsible for defining and
of user IDs, credentials, and other identifier general user IDs, examine associated to systems are all valid and recognized users, documenting a User ID approval process, documenting a User ID approval process,
objects. authorizations and observe system settings to strong processes must manage all changes to defining least privileges, restricting access defining least privileges, restricting access
verify each user ID and privileged user ID has user IDs and other authentication to cardholder data, using unique IDs, to cardholder data, using unique IDs,
been implemented with only the privileges credentials, including adding new ones and providing separation of duties, and providing separation of duties, and
specified on the documented approval. modifying or deleting existing ones. revoking user access when no longer revoking user access when no longer
8.1.3 Immediately revoke access for any 8.1.3.a Select a sample of users terminated in
If an employee has left the company and still Not applicable Customers are responsible for defining and Customers are responsible for defining and
terminated users. the past six months, and review current userhas access to the network via their user documenting a User ID approval process, documenting a User ID approval process,
access lists—for both local and remote access
account, unnecessary or malicious access to defining least privileges, restricting access defining least privileges, restricting access
—to verify that their IDs have been cardholder data could occur—either by the to cardholder data, using unique IDs, to cardholder data, using unique IDs,
deactivated or removed from the access lists.
former employee or by a malicious user who providing separation of duties, and providing separation of duties, and
exploits the old and/or unused account. To revoking user access when no longer revoking user access when no longer
8.1.3.b Verify all physical authentication prevent unauthorized access, user necessary. necessary.
methods—such as, smart cards, tokens, etc.— credentials and other authentication
have been returned or deactivated. methods therefore need to be revoked
promptly (as soon as possible) upon the
employee’s departure.
8.1.4 Remove/disable inactive user accounts 8.1.4 Observe user accounts to verify that any Accounts that are not used regularly are Not applicable Customers are responsible for defining and Customers are responsible for defining and
within 90 days. inactive accounts over 90 days old are either often targets of attack since it is less likely documenting a User ID approval process, documenting a User ID approval process,
removed or disabled. that any changes (such as a changed defining least privileges, restricting access defining least privileges, restricting access
password) will be noticed. As such, these to cardholder data, using unique IDs, to cardholder data, using unique IDs,
accounts may be more easily exploited and providing separation of duties, and providing separation of duties, and
used to access cardholder data. revoking user access when no longer revoking user access when no longer
8.1.5 Manage IDs used by thid parties to access, 8.1.5.a Interview personnel and observe Allowing vendors to have 24/7 access into Microsoft Azure has adopted applicable Customers are responsible for defining and Customers are responsible for defining and
support, or maintain system components via processes for managing accounts used by your network in case they need to support corporate and organizational security documenting a User ID approval process, documenting a User ID approval process,
remote access as follows: vendors to access, support, or maintain systemyour systems increases the chances of policies, including an Information Security defining least privileges, restricting access defining least privileges, restricting access
- Enabled only during the time period needed and components to verify that accounts used by unauthorized access, either from a user in Policy. The policies have been approved, to cardholder data, using unique IDs, to cardholder data, using unique IDs,
disabled when not in use. vendors for remote access are: the vendor’s environment or from a published and communicated to Microsoft providing separation of duties, and providing separation of duties, and
- Monitored when in use. - Disabled when not in use malicious individual who finds and uses this Azure. The Information Security Policy revoking user access when no longer revoking user access when no longer
- Enabled only when needed by the vendor, always-available external entry point into requires that access to Microsoft Azure necessary. necessary.
and disabled when not in use. your network. Enabling access only for the assets to be granted based on business
time periods needed, and disabling it as soon justification, with the asset owner's
as it is no longer needed, helps prevent authorization and limited based on "need-
8.1.5.b Interview personnel and observe misuse of these connections. to-know" and "least-privilege" principles. In
processes to verify that vendor remote access Monitoring of vendor access provides addition, the policy also addresses
accounts are monitored while being used. assurance that vendors are accessing only requirements for access management
the systems necessary and only during lifecycle including access provisioning,
approved time frames. authentication, access authorization,
removal of access rights and periodic
access reviews.
8.1.6 Limit repeated access attempts by locking 8.1.6.a For a sample of system components, Without account-lockout mechanisms in Not applicable Customers are responsible for creating, Customers are responsible for creating,
out the user ID after not more than six attempts. inspect system configuration settings to verify place, an attacker can continually attempt to enforcing, and monitoring a password enforcing, and monitoring a password
that authentication parameters are set to guess a password through manual or policy compliant with PCI DSS policy compliant with PCI DSS
require that user accounts be locked out after automated tools (for example, password requirements. requirements.
not more than six invalid logon attempts. cracking), until they achieve success and gain
access to a user’s account.
Note: Testing Procedure 8.1.6.b is an
additional procedure that only applies if the
8.1.6.b Additional testing procedure for service entity being assessed is a service provider.
provider assessments only: Review internal
processes and customer/user documentation,
and observe implemented processes to verify
that non-consumer customer user accounts
are temporarily locked-out after not more than
six invalid access attempts.
8.1.7 Set the lockout duration to a minimum of 30 8.1.7 For a sample of system components, If an account is locked out due to someone Not applicable Customers are responsible for creating, Customers are responsible for creating,
minutes or until an administrator enables the user inspect system configuration settings to verify continually trying to guess a password, enforcing, and monitoring a password enforcing, and monitoring a password
ID. that password parameters are set to require controls to delay reactivation of these locked policy compliant with PCI DSS policy compliant with PCI DSS
that once a user account is locked out, it accounts stops the malicious individual from requirements. requirements.
remains locked for a minimum of 30 minutes continually guessing the password (they will
or until a system administrator resets the have to stop for a minimum of 30 minutes
account. until the account is reactivated). Additionally,
if reactivation must be requested, the admin
or help desk can validate that it is the actual
account owner requesting reactivation.
8.1.8 If a session has been idle for more than 15 8.1.8 For a sample of system components, When users walk away from an open Not applicable Customers are responsible for creating, Customers are responsible for creating,
minutes, require the user to re-authenticate to re- inspect system configuration settings to verify machine with access to critical system enforcing, and monitoring a password enforcing, and monitoring a password
activate the terminal or session. that system/session idle time out features components or cardholder data, that policy compliant with PCI DSS policy compliant with PCI DSS
have been set to 15 minutes or less. machine may be used by others in the user’s requirements. requirements.
absence, resulting in unauthorized account
access and/or misuse.
The re-authentication can be applied either
at the system level to protect all sessions
running on that machine, or at the
application level.
8.2 In addition to assigning a unique ID, ensure 8.2 To verify that users are authenticated using These authentication methods, when used in Not applicable Customers are responsible for creating, Customers are responsible for creating,
proper user-authentication management for non- unique ID and additional authentication (for addition to unique IDs, help protect users’ enforcing, and monitoring a password and enforcing, and monitoring a password and
consumer users and administrators on all system example, a password/phrase) for access to the IDs from being compromised, since the one timeout policy compliant with PCI DSS timeout policy compliant with PCI DSS
components by employing at least one of the cardholder data environment, perform the attempting the compromise needs to know requirements. requirements.
following methods to authenticate all users: following: both the unique ID and the password (or
- Something you know, such as a password or - Examine documentation describing the other authentication used). Note that a
passphrase authentication method(s) used. digital certificate is a valid option for
- Something you have, such as a token device or - For each type of authentication method used “something you have” as long as it is unique
smart card and for each type of system component, for a particular user.
- Something you are, such as a biometric. observe an authentication to verify Since one of the first steps a malicious
authentication is functioning consistent with individual will take to compromise a system
documented authentication method(s). is to exploit weak or nonexistent passwords,
it is important to implement good processes
for authentication management.
8.2.1 Using strong cryptography, render all 8.2.1.a Examine vendor documentation and Many network devices and applications Microsoft Azure has established key Customers are responsible for ensuring Customers are responsible for ensuring
authentication credentials (such as system configuration settings to verify that transmit unencrypted, readable passwords management procedures to manage secrets used to access their application and secrets used to access their application and
passwords/phrases) unreadable during passwords are protected with strong across the network and/or store passwords cryptographic keys throughout their data are stored using encryption or data are stored using encryption or
transmission and storage on all system cryptography during transmission and storage. without encryption. A malicious individual lifecycle (e.g., generation, distribution, equivalent mechanism. equivalent mechanism.
components. can easily intercept unencrypted passwords revocation). Microsoft Azure uses
8.2.1.b For a sample of system components, during transmission using a “sniffer,” or Microsoft's corporate PKI infrastructure.
examine password files to verify that directly access unencrypted passwords in
passwords are unreadable during storage. files where they are stored, and use this data
to gain unauthorized access. Note: Testing
8.2.1.c For a sample of system components, Procedures 8.2.1.d and 8.2.1.e are additional
examine data transmissions to verify that procedures that only apply if the entity being
passwords are unreadable during transmission. assessed is a service provider.
8.2.1.d Additional testing procedure for service
provider assessments only: Observe password
files to verify that non-consumer customer
passwords are unreadable during storage.
8.2.1.e Additional testing procedure for service

provider assessments only: Observe data
transmissions to verify that non-consumer
customer passwords are unreadable during
transmission.
8.2.2 Verify user identity before modifying any 8.2.2 Examine authentication procedures for Many malicious individuals use "social
authentication credential—for example, modifying authentication credentials and engineering”—for example, calling a help
performing password resets, provisioning new observe security personnel to verify that, if a desk and acting as a legitimate user—to have
tokens, or generating new keys. user requests a reset of an authentication a password changed so they can utilize a user
credential by phone, e-mail, web, or other non- ID. Consider use
face-to-face method, the user’s identity is of a “secret question” that only the proper
verified before the authentication credential is user can answer to help administrators
modified. identify the user prior
to re-setting or modifying authentication
credentials.
8.2.3 Passwords/phrases must meet the following: 8.2.3.a For a sample of system components, Strong passwords/passphrases are the first Not applicable Customers are responsible for creating, Customers are responsible for creating,
- Require a minimum length of at least seven inspect system configuration settings to verify line of defense into a network since a enforcing and monitoring a password policy enforcing and monitoring a password policy
characters. that user password parameters are set to malicious individual will often first try to find compliant with PCI DSS requirements for compliant with PCI DSS requirements for
- Contain both numeric and alphabetic characters. require at least the following accounts with weak or non-existent PaaS service and Portal access. Customers IaaS instance and Portal access. Customers
Alternatively, the passwords/phrases must have strength/complexity: passwords. If passwords are short or simple are responsible for keeping passwords from are responsible for keeping passwords from
complexity and strength at least equivalent to the - Require a minimum length of at least seven to guess, it is relatively easy for a malicious being disclosed to unauthorized parties and being disclosed to unauthorized parties and
parameters specified above. characters. individual to find these weak accounts and for choosing passwords with sufficient for choosing passwords with sufficient
- Contain both numeric and alphabetic compromise a network under the guise of a entropy as to be effectively non-guessable entropy as to be effectively non-guessable
characters. valid user ID. and for deployment of services such as and for deployment of services such as
This requirement specifies that a minimum of multi-factor authentication. multi-factor authentication.
seven characters and both numeric and
alphabetic characters should be used for
passwords/passphrases. For cases where this
minimum cannot be met due to technical
limitations, entities can use “equivalent
strength” to evaluate their alternative. For
information on variability and equivalency of
password strength (also referred to as
entropy) for
passwords/passphrases of different formats,
refer to industry standards (e.g., the current
version of NIST SP 800-63.)
entity being assessed is a service provider.
characters. malicious individual will often first try to find compliant with PCI DSS requirements for compliant with PCI DSS requirements for
- Contain both numeric and alphabetic characters. accounts with weak or non-existent PaaS service and Portal access. Customers IaaS instance and Portal access. Customers
Alternatively, the passwords/phrases must have passwords. If passwords are short or simple are responsible for keeping passwords from are responsible for keeping passwords from
complexity and strength at least equivalent to the to guess, it is relatively easy for a malicious being disclosed to unauthorized parties and being disclosed to unauthorized parties and
parameters specified above. individual to find these weak accounts and for choosing passwords with sufficient for choosing passwords with sufficient
compromise a network under the guise of a entropy as to be effectively non-guessable entropy as to be effectively non-guessable
valid user ID. and for deployment of services such as and for deployment of services such as
This requirement specifies that a minimum of multi-factor authentication. multi-factor authentication.
seven characters and both numeric and
alphabetic characters should be used for
passwords/passphrases. For cases where this
minimum cannot be met due to technical
8.2.3.b Additional testing procedure for service
limitations, entities can use “equivalent
provider assessments only: Review internal
processes and customer/user documentation strength” to evaluate their alternative. For
information on variability and equivalency of
to verify that non-consumer customer
password strength (also referred to as
passwords are required to meet at least the
entropy) for
following strength/complexity:
passwords/passphrases of different formats,
- Require a minimum length of at least seven
characters. refer to industry standards (e.g., the current
version of NIST SP 800-63.)
- Contain both numeric and alphabetic
characters.
entity being assessed is a service provider.
8.2.4 Change user passwords/passphrases at least 8.2.4.a For a sample of system components, Passwords/phrases that are valid for a long Not applicable Customers are responsible for creating, Customers are responsible for creating,
once every 90 days. inspect system configuration settings to verify time without a change provide malicious enforcing and monitoring a password policy enforcing and monitoring a password policy
that user password parameters are set to individuals with more time to work on compliant with PCI DSS requirements for compliant with PCI DSS requirements for
require users to change passwords at least breaking the password/phrase. PaaS service and Portal access. Customers IaaS instance and Portal access. Customers
once every 90 days. Note: Testing Procedure 8.2.4.b is an are responsible for keeping passwords from are responsible for keeping passwords from
additional procedure that only applies if the being disclosed to unauthorized parties and being disclosed to unauthorized parties and
entity being assessed is a service provider. for choosing passwords with sufficient for choosing passwords with sufficient
entropy as to be effectively non-guessable entropy as to be effectively non-guessable
8.2.4.b Additional testing procedure for service and for deployment of services such as and for deployment of services such as
provider assessments only: Review internal multi-factor authentication. multi-factor authentication.
processes and customer/user documentation
to verify that:
 Non-consumer customer user passwords are
required to change periodically; and
 Non-consumer customer users are given
guidance as to when, and under what
circumstances, passwords must change.
8.2.5 Do not allow an individual to submit a new 8.2.5.a For a sample of system components, If password history isn’t maintained, the Not applicable
password/phrase that is the same as any of the obtain and inspect system configuration effectiveness of changing passwords is
last four passwords/phrases he or she has used. settings to verify that password parameters are reduced, as previous passwords can be
set to require that new passwords cannot be reused over and over. Requiring that
the same as the four previously used passwords cannot be reused for a period of
passwords. time reduces the likelihood that passwords
that have been guessed or brute-forced will
be used in the future.
8.2.5.b Additional testing procedure for service Note: Testing Procedure 8.2.5.b is an
provider assessments only: Review internal additional procedure that only applies if the
processes and customer/user documentation entity being assessed is a service provider.
to verify that new non-consumer customer
user passwords cannot be the same as the
previous four passwords.
8.2.6 Set passwords/phrases for first-time use and 8.2.6 Examine password procedures and If the same password is used for every new Not applicable
upon reset to a unique value for each user, and observe security personnel to verify that first- user, an internal user, former employee, or
change immediately after the first use. time passwords for new users, and reset malicious individual may know or easily
passwords for existing users, are set to a discover this password, and use it to gain
unique value for each user and changed after access to accounts.
first use.
8.3 Secure all individual non-console Multi-factor authentication requires an Azure administrators are required to use Customers are responsible for Customers are responsible for
administrative access and all remote access to the individual to present a minimum of two multi-factor authentication to access when implementing multi-factor authentication implementing multi-factor authentication
CDE using multi-factor authentication. separate forms of authentication (as performing maintenance and mechanisms for access to their CDE. mechanisms for access to their CDE.
Note: Multi-factor authentication requires that a described in Requirement 8.2), before access administration to Azure systems and
minimum of two of the three authentication is granted. Multi-factor authentication servers.
methods (see Requirement 8.2 for descriptions of provides additional assurance that the
authentication methods) be used for individual attempting to gain access is who
authentication. Using one factor twice (for they claim to be. With multi-factor
example, using two separate authentication, an attacker would need to
passwords) is not considered multi-factor compromise at least two different
authentication. authentication mechanisms, increasing the
difficulty of compromise and thus reducing
the risk.
Multi-factor authentication is not required at
both the system-level and application-level
for a particular system component. Multi-
factor authentication can be performed
either upon authentication to the particular
network or to the system component.
Examples of multi-factor technologies
include but are not limited to remote
authentication and dial-in service (RADIUS)
with tokens; terminal access controller
access control system (TACACS) with tokens;
and other technologies that facilitate multi-
factor authentication.
administrative access and all remote access to the individual to present a minimum of two multi-factor authentication to access when implementing multi-factor authentication implementing multi-factor authentication
CDE using multi-factor authentication. separate forms of authentication (as performing maintenance and mechanisms for access to their CDE. mechanisms for access to their CDE.
Note: Multi-factor authentication requires that a described in Requirement 8.2), before access administration to Azure systems and
minimum of two of the three authentication is granted. Multi-factor authentication servers.
methods (see Requirement 8.2 for descriptions of provides additional assurance that the
authentication methods) be used for individual attempting to gain access is who
authentication. Using one factor twice (for they claim to be. With multi-factor
example, using two separate authentication, an attacker would need to
passwords) is not considered multi-factor compromise at least two different
authentication. authentication mechanisms, increasing the
difficulty of compromise and thus reducing
the risk.
Multi-factor authentication is not required at
both the system-level and application-level
for a particular system component. Multi-
factor authentication can be performed
either upon authentication to the particular
network or to the system component.
Examples of multi-factor technologies
include but are not limited to remote
authentication and dial-in service (RADIUS)
with tokens; terminal access controller
access control system (TACACS) with tokens;
and other technologies that facilitate multi-
factor authentication.
8.3.1 Incorporate multi-factor authentication for 8.3.1.a Examine network and/or system This requirement is intended to apply to all
all non-console access into the CDE for personnel configurations, as applicable, to verify multi- personnel with administrative access to the
with administrative access. factor authentication is required for all non- CDE. This requirement applies only to
console administrative access into the CDE. personnel with administrative access and
only for non-console access to the CDE; it
does not apply to application
or system accounts performing automated
functions.
8.3.1.b Observe a sample of administrator If the entity does not use segmentation to
personnel login to the CDE and verify that at separate the CDE from the rest of their
least two of the three authentication methods network, an administrator could use multi-
are used. factor authentication either when logging
onto the CDE network or when
logging onto a system.
If the CDE is segmented from the rest of the
entity’s network, an administrator would
need to use multi-factor authentication when
connecting to a CDE
system from a non-CDE network. Multi-
factor authentication can be implemented at
network level or at system/application level;
it does not have to be both. If the
administrator uses MFA when logging into
the CDE network, they do not also need to
use MFA to log into a particular system or
application
within the CDE.
8.3.2 Incorporate multi-factor authentication for 8.3.2.a Examine system configurations for This requirement is intended to apply to all
all remote network access (both user and remote access servers and systems to verify personnel—including general users,
administrator, and including third-party access for multi-factor authentication is required for: administrators, and vendors (for support or
support or maintenance) originating from outside - All remote access by personnel, both user and maintenance) with remote access to the
the entity’s network. administrator, and network—where that remote access could
- All third-party/vendor remote access lead to access to the CDE. If remote
including access to applications and system access is to an entity’s network that has
components for support or maintenance appropriate segmentation, such that remote
purposes). users cannot access or impact the cardholder
data environment, multi-factor
authentication for remote access to that
network would not be required. However,
multi-factor authentication is required for
any remote access to networks with access
to the cardholder data environment, and is
8.3.2.b Observe a sample of personnel (for recommended for all remote access to the
example, users and administrators) connecting entity’s networks.
remotely to the network and verify that at
least two of the three authentication methods
are used.
8.4 Document and communicate authentication 8.4.a Examine procedures and interview Communicating password/authentication Not applicable Customers are responsible for following Customers are responsible for following
procedures and policies and procedures to all personnel to verify that authentication procedures to all users helps those users guidance and document and communicate guidance and document and communicate
users including: procedures and policies are distributed to all understand and abide by the policies. authentication procedures and policies to authentication procedures and policies to
- Guidance on selecting strong authentication users. For example, guidance on selecting strong all users all users
credentials passwords may include suggestions to help
- Guidance for how users should protect their personnel select hard-to-guess passwords
authentication credentials that don’t contain dictionary words, and that
- Instructions not to reuse previously used 8.4.b Review authentication procedures and don’t contain information about the user
passwords policies that are distributed to users and verify (such as the user ID, names of family
- Instructions to change passwords if there is any they include: members, date of birth, etc.). Guidance for
suspicion the password could be compromised. - Guidance on selecting strong authentication protecting authentication credentials may
credentials include not writing down passwords or
- Guidance for how users should protect their saving them in insecure files, and being alert
authentication credentials. for malicious individuals who may attempt to
- Instructions
8.4.c Interviewfora sample
users not
of to reuse
users to previously
verify that exploit their passwords (for example, by
used passwords
they are familiar with authentication calling an employee and asking for their
- Instructionsand
procedures to policies.
change passwords if there is password so the caller can “troubleshoot a
any suspicion the password could be problem”).
compromised. Instructing users to change passwords if
there is a chance the password is no longer
secure can prevent malicious users from
using a legitimate password to gain
unauthorized access.
passwords (such as the user ID, names of family
- Instructions to change passwords if there is any members, date of birth, etc.). Guidance for
suspicion the password could be compromised. protecting authentication credentials may
include not writing down passwords or
saving them in insecure files, and being alert
for malicious individuals who may attempt to
exploit their passwords (for example, by
calling an employee and asking for their
password so the caller can “troubleshoot a
problem”).
Instructing users to change passwords if
there is a chance the password is no longer
8.4.c Interview a sample of users to verify that secure can prevent malicious users from
they are familiar with authentication using a legitimate password to gain
procedures and policies. unauthorized access.
8.5 Do not use group, shared, or generic IDs, 8.5.a For a sample of system components, If multiple users share the same Not applicable Customers are responsible for following Customers are responsible for following
passwords, or other authentication methods as examine user ID lists to verify the following: authentication credentials (for example, user guidance when maintaining storage guidance when maintaining storage
follows: - Generic user IDs are disabled or removed. account and password), it becomes credentials and not use group, shared, or credentials and not use group, shared, or
- Generic user IDs are disabled or removed. - Shared user IDs for system administration impossible to trace system access and generic IDs, passwords, or other generic IDs, passwords, or other
- Shared user IDs do not exist for system activities and other critical functions do not activities to an individual. This in turn authentication methods authentication methods
administration and other critical functions. exist. prevents an entity from assigning
- Shared and generic user IDs are not used to - Shared and generic user IDs are not used to accountability for, or having effective logging
administer any system components. administer any system components. of, an individual’s actions, since a given
action could have been performed by anyone
in the group that has knowledge of the
8.5.b Examine authentication authentication credentials.
policies/procedures to verify that use of group
and shared IDs and/or passwords or other
authentication methods are explicitly
prohibited.
8.5.c Interview system administrators to verify

that group and shared IDs and/or passwords or
other authentication methods are not
distributed, even if requested.
8.5.1 Additional requirement for service providers 8.5.1 Additional testing procedure for service Note: This requirement applies only when
only: Service providers with remote access to provider assessments only: Examine the entity being assessed is a service
customer premises (for example, for support of authentication policies and procedures and provider.
POS systems or servers) must use a unique interview personnel to verify that different To prevent the compromise of multiple
authentication credential (such as a authentication credentials are used for access customers through the use of a single set of
password/phrase) for each customer. to each customer. credentials, vendors with remote access
Note: This requirement is not intended to apply to accounts to customer environments should
shared hosting providers accessing their own use a different authentication credential for
hosting environment, where multiple customer each customer. Not Applicable for Microsoft Azure customers. Not Applicable for Microsoft Azure customers.
environments are hosted. Technologies, such as two-factor
mechanisms, that provide a unique
credential for each connection (for example,
via a single-use password) could also meet
the intent of this requirement.
8.6 Where other authentication mechanisms are 8.6.a Examine authentication policies and If user authentication mechanisms such as Not applicable Customers are responsible for developing Customers are responsible for developing
used (for example, physical or logical security procedures to verify that procedures for using tokens, smart cards, and certificates can be and enforcing an access control policy and enforcing an access control policy
tokens, smart cards, certificates, etc.), use of these authentication mechanisms such as physical used by multiple accounts, it may be consistent with the provisions of this consistent with the provisions of this
mechanisms must be assigned as follows: security tokens, smart cards, and certificates impossible to identify the individual using the control control
- Authentication mechanisms must be assigned to are defined and include: authentication mechanism. Having physical
an individual account and not shared among - Authentication mechanisms are assigned to and/or logical controls (for example, a PIN,
multiple accounts. an individual account and not shared among biometric data, or a password) to uniquely
- Physical and/or logical controls must be in place multiple accounts. identify the user of the account will prevent
to ensure only the intended account can use that - Physical and/or logical controls are defined to unauthorized users from gaining access
mechanism to gain access. ensure only the intended account can use that through use of a shared authentication
mechanism to gain access. mechanism.
8.6.b Interview security personnel to verify

authentication mechanisms are assigned to an
account and not shared among multiple
accounts.
8.6.c Examine system configuration settings

and/or physical controls, as applicable, to
verify that controls are implemented to ensure
only the intended account can use that
mechanism to gain access.
8.7 All access to any database containing 8.7.a Review database and application Without user authentication for access to Not applicable Customers are responsible for managing Customers are responsible for managing
cardholder data (including access by applications, configuration settings and verify that all users databases and applications, the potential for access to in-scope databases. access to in-scope databases.
administrators, and all other users) is restricted as are authenticated prior to access. unauthorized or malicious access increases,
follows: and such access cannot be logged since the
- All user access to, user queries of, and user 8.7.b Examine database and application user has not been authenticated and is
actions on databases are through programmatic configuration settings to verify that all user therefore not known to the system. Also,
methods. access to, user queries of, and user actions on database access should be granted through
- Only database administrators have the ability to (for example, move, copy, delete), the programmatic methods only (for example,
directly access or query databases. database
8.7.c are through
Examine databaseprogrammatic methods
access control settings through stored procedures), rather than via
- Application IDs for database applications can onlydatabase
and (for example, throughconfiguration
application stored procedures).
settings direct access to the database by end users
only be used by the applications (and not by to verify that user direct access to or queries of (except for DBAs, who may need direct
individual users or other non-application databases are restricted to database access to the database for their
processes). 8.7.d Examine database access control settings, administrative duties).
administrators.
database application configuration settings,
and the related application IDs to verify that
application IDs can only be used by the
applications (and not by individual users or
other processes).
8.8 Ensure that security policies and operational 8.8 Examine documentation interview Personnel need to be aware of and following Not applicable Customers are responsible for ensuring Customers are responsible for ensuring
procedures for identification and authentication personnel to verify that security policies and security policies and operational procedures that security policies and operational that security policies and operational
are documented, in use, and known to all affected operational procedures for identification and for managing identification and authorization procedures for identification and procedures for identification and
parties. authentication are: on a continuous basis. authentication are documented, in use, and authentication are documented, in use, and
- Documented, known to all affected parties. known to all affected parties.
- In use, and
Requirement 9: Restrict physical access to cardholder data
Any physical access to data or systems that house cardholder data provides the opportunity for individuals to access devices or data and to remove systems or hardcopies, and should be appropriately restricted. For the purposes of Requirement 9, “onsite personnel” refers to full-time and part-time employees, temporary employees, contractors and
consultants who are physically present on the entity’s premises. A “visitor” refers to a vendor, guest of any onsite personnel, service workers, or anyone who needs to enter the facility for a short duration, usually not more than one day. “Media” refers to all paper and electronic media containing cardholder data.

9.1 Use appropriate facility entry controls to limit 9.1 Verify the existence of physical security Without physical access controls, such as Microsoft Azure is responsible for Not applicable Not applicable
and monitor physical access to systems in the controls for each computer room, data badge systems and door controls, implementing, enforcing, and monitoring
cardholder data environment. center, and other physical areas with systems unauthorized persons could potentially gain physical access security for data centers.
in the cardholder data environment. access to the facility to steal, disable, disrupt,
- Verify that access is controlled with badge or destroy critical systems and cardholder
readers or other devices including authorized data.
badges and lock and key. Locking console login screens prevents
- Observe a system administrator’s attempt unauthorized persons from gaining access to
to log into consoles for randomly selected sensitive information, altering system
systems in the cardholder environment and configurations, introducing vulnerabilities
verify that they are “locked” to prevent into the network, or destroying records.
unauthorized use.
9.1.1 Use either video cameras or access control 9.1.1.a Verify that video cameras and/or When investigating physical breaches, these Microsoft Azure is responsible for
mechanisms (or both) to monitor individual access control mechanisms are in place to controls can help identify the individuals that implementing, enforcing, and monitoring
physical access to sensitive areas. Review monitor the entry/exit points to sensitive physically accessed the sensitive areas, as CCTV and biometric access control
collected data and correlate with other entries. areas. well as when they entered and exited. mechanisms for data centers.
Store for at least three months, unless otherwise Criminals attempting to gain physical access
restricted by law. to sensitive areas will often attempt to
disable or bypass the monitoring controls. To
Note: “Sensitive areas” refers to any data center, 9.1.1.b Verify that video cameras and/or protect these controls from tampering, video
server room or any area that houses systems that access control mechanisms are protected cameras could be positioned so they are out
store, process, or transmit cardholder data. This from tampering or disabling. of reach and/or be monitored to detect
excludes public-facing areas where only point-of- tampering. Similarly, access control
sale terminals are present, such as the cashier mechanisms could be monitored or have
areas in a retail store. physical protections installed to prevent
them being damaged or disabled by
malicious individuals.
9.1.1.c Verify that video cameras and/or
access control mechanisms are monitored Examples of sensitive areas include corporate
and that data from cameras or other database server rooms, back-office rooms at
mechanisms is stored for at least three retail locations that store cardholder data,
months. and storage areas for large quantities of
cardholder data. Sensitive areas should be
identified by each organization to ensure the
appropriate physical monitoring controls are
implemented.
9.1.2 Implement physical and/or logical controls to 9.1.2 Interview responsible personnel and Restricting access to network jacks (or There are no publicly accessible network
restrict access to publicly accessible network jacks. observe locations of publicly accessible network ports) will prevent malicious jacks within the Microsoft Azure platform.
network jacks to verify that physical and/or individuals from plugging into readily
For example, network jacks located in public areas logical controls are in place to restrict access available network jacks and gain access into
and areas accessible to visitors could be disabled to publicly accessible network jacks. internal network resources.
and only enabled when network access is explicitly Whether logical or physical controls, or a
authorized. Alternatively, processes could be combination of both, are used, they should
implemented to ensure that visitors are escorted be sufficient to prevent an individual or
at all times in areas with active network jacks. device that is not explicitly authorized from
being able to connect to the network.
9.1.3 Restrict physical access to wireless access 9.1.3 Verify that physical access to wireless Without security over access to wireless Physical access to Microsoft Azure network
points, gateways, handheld devices, access points, gateways, handheld devices, components and devices, malicious users hardware is tightly controlled by access
networking/communications hardware, and networking/communications hardware, and could use an organization’s unattended lists, multiple forms of authentication,
telecommunication lines. telecommunication lines is appropriately wireless devices to access network resources, physical barriers to entry, and requirement
restricted. or even connect their own devices to the for business need to be approved for
wireless network to gain unauthorized access to equipment.
access. Additionally, securing networking and
communications hardware prevents
malicious users from intercepting network
traffic or physically connecting their own
devices to wired network resources.
9.2 Develop procedures to easily distinguish 9.2.a Review documented processes to verify Identifying authorized visitors so they are Microsoft Azure is responsible for
between onsite personnel and visitors, to include: that procedures are defined for identifying easily distinguished from onsite personnel implementing, enforcing, and monitoring
- Identifying onsite personnel and visitors (for and distinguishing between onsite personnel prevents unauthorized visitors from being physical access security and FTE or
example, assigning badges) and visitors. granted access to areas containing contractor identification when visiting data
- Changes to access requirements - Verify procedures include the following: cardholder data. centers.
- Revoking or terminating onsite personnel and - Identifying onsite personnel and visitors (for
expired visitor identification (such as ID badges). example, assigning badges),
- Changing access requirements, and
- Revoking terminated onsite personnel and
expired visitor identification (such as ID
badges)
9.2.b Examine identification methods (such

as ID badges) and observe processes for
identifying and distinguishing between onsite
personnel and visitors to verify that:
- Visitors are clearly identified, and
- It is easy to distinguish between onsite
personnel and visitors.
9.2.c Verify that access to the identification

process (such as a badge system) is limited to
authorized personnel.
9.3 Control physical access for onsite personnel to 9.3.a For a sample of onsite personnel with Controlling physical access to the CDE helps Access authorizations to Microsoft data
the sensitive areas as follows: physical access to the CDE, interview ensure that only authorized personnel with a centers is controlled using an authorized
- Access must be authorized and based on responsible personnel and observe access legitimate business need are granted access. access list approved by the Data Center
individual job function. control lists to verify that: When personnel leave the organization, all team based on the principle of least
- Access is revoked immediately upon termination, - Access to the CDE is authorized. physical access mechanisms should be privilege. The access control list is
and all physical access mechanisms, such as keys, - Access is required for the individual’s job returned or disabled promptly (as soon as reviewed, verified and updated quarterly.
access cards, etc., are returned or disabled. function. possible) upon their departure, to ensure
personnel cannot gain physical access to the Microsoft Azure data centers utilize
CDE once their employment has ended. physical access devices such as perimeter
9.3.b Observe personnel access the CDE to gates, electronic access badge readers,
verify that all personnel are authorized biometric readers, man-traps/portals and
before being granted access. anti-pass back devices. Access badge
devices are continuously monitored.
9.3.c Select a sample of recently terminated
employees and review access control lists to
verify the personnel do not have physical
access to sensitive areas.
9.4 Implement procedures to identify and 9.4 Verify that visitor authorization and Microsoft Azure is responsible for enforcing
authorize visitors. Procedures should include the access controls are in place as follows: pre-approved deliveries are received in a
following: secure loading bay that is physically
isolated from information processing
9.4.1 Visitors are authorized before entering, and 9.4.1.a Observe procedures and interview Visitor controls are important to reduce the facilities and are monitored by authorized
escorted at all times within, areas where personnel to verify that visitors must be ability of unauthorized and malicious persons personnel.
cardholder data is processed or maintained. authorized before they are granted access to, to gain access to facilities (and potentially, to
and escorted at all times within, areas where cardholder data).
cardholder data is processed or maintained. Visitor controls ensure visitors are
identifiable as visitors so personnel can
monitor their activities, and that their access
is restricted to just the duration of their
9.4.1.b Observe the use of visitor badges or legitimate visit.
other identification to verify that a physical Ensuring that visitor badges are returned
token badge does not permit unescorted upon expiry or completion of the visit
access to physical areas where cardholder prevents malicious persons from using a
data is processed or maintained. previously authorized pass to gain physical
access into the building after the visit has
ended.
9.4.2 Visitors are identified and given a badge or 9.4.2.a Observe people within the facility to A visitor log documenting minimum Microsoft data center access must be pre-
other identification that expires and that visibly verify the use of visitor badges or other information on the visitor is easy and approved and authorized visitors are
distinguishes the visitors from onsite personnel. identification, and that visitors are easily inexpensive to maintain and will assist in required to check-in with physical security
distinguishable from onsite personnel. identifying physical access to a building or at the point of arrival and provide a valid
room, and potential access to cardholder proof of ID before entry. Badges clearly
9.4.2.b Verify that visitor badges or other data. indicate FTEs. Contractors and visitors
identification expire. receive temporary badges that must be
surrendered upon departure from the
facility.
9.4.3 Visitors are asked to surrender the badge or 9.4.3 Observe visitors leaving the facility to Visitors are required to surrender badges
identification before leaving the facility or at the verify visitors are asked to surrender their upon departure from any Microsoft facility.
date of expiration. badge or other identification upon departure
or expiration.
9.4.4 A visitor log is used to maintain a physical 9.4.4.a Verify that a visitor log is in use to Microsoft Azure is responsible for
audit trail of visitor activity to the facility as well as record physical access to the facility as well maintaining a visitor log as a physical audit
computer rooms and data centers where as computer rooms and data centers where trail of visitor activity to the facility as well
cardholder data is stored or transmitted. cardholder data is stored or transmitted. as computer rooms and data centers where
Document the visitor’s name, the firm cardholder data is stored or transmitted.
represented, and the onsite personnel authorizing
physical access on the log.
Retain this log for a minimum of three months, 9.4.4.b Verify that the log contains:
unless otherwise restricted by law. - The visitor’s name,
- The firm represented, and
- The onsite personnel authorizing physical
access.
9.4.4.c Verify that the log is retained for at

least three months.
9.5 Physically secure all media. 9.5 Verify that procedures for protecting Controls for physically securing media are Not applicable Not applicable Customers are responsible for maintaining
cardholder data include controls for intended to prevent unauthorized persons control of any data stored outside of the
physically securing all media (including but from gaining access to cardholder data on Microsoft Azure environment.
not limited to computers, removable any type of media. Cardholder data is
electronic media, paper receipts, paper susceptible to unauthorized viewing,
reports, and faxes). copying, or scanning if it is unprotected while
it is on removable or portable media, printed
out, or left on someone’s desk.
9.5.1 Store media backups in a secure location, 9.5.1 Verify that the storage location security If stored in a non-secured facility, backups Customers are responsible for maintaining
preferably an off-site facility, such as an alternate is reviewed at least annually to confirm that that contain cardholder data may easily be control of any data stored outside of the
or backup site, or a commercial storage facility. backup media sorage is secure. lost, stolen, or copied for malicious intent. Microsoft Azure environment.
Review the location’s security at least annually. Periodically reviewing the storage facility
enables the organization to address
identified security issues in a timely manner,
minimizing the potential risk.
9.6 Maintain strict control over the internal or 9.6 Verify that a policy exists to control Procedures and processes help protect Customers are responsible for maintaining
external distribution of any kind of media, distribution of media, and that the policy cardholder data on media distributed to control of any data stored outside of the
including the following: covers all distributed media including that internal and/or external users. Without such Microsoft Azure environment.
distributed to individuals. procedures data can be lost or stolen and
used for fraudulent purposes.
9.6.1 Classify media so the sensitivity of the data 9.6.1 Verify that all media is classified so the It is important that media be identified such Customers are responsible for maintaining
can be determined. sensitivity of the data can be determined. that its classification status can be easily control of any data stored outside of the
discernible. Media not identified as Microsoft Azure environment.
confidential may not be adequately
protected or may be lost or stolen.
Note: This does not mean the media needs to

have a “Confidential” label attached; the
intent is that the organization has identified
media that contains sensitive data so it can
protect it.
9.6.2 Send the media by secured courier or other 9.6.2.a Interview personnel and examine Media may be lost or stolen if sent via a non- Customers are responsible for maintaining
delivery method that can be accurately tracked. records to verify that all media sent outside trackable method such as regular postal mail. control of any data stored outside of the
the facility is logged and sent via secured Use of secure couriers to deliver any media Microsoft Azure environment.
courier or other delivery method that can be that contains cardholder data allows
tracked. organizations to use their tracking systems to
maintain inventory and location of
9.6.2.b Select a recent sample of several days shipments. Customers are responsible for maintaining
of offsite tracking logs for all media, and control of any data stored outside of the
verify tracking details are documented. Microsoft Azure environment.
9.6.3 Ensure management approves any and all 9.6.3 Select a recent sample of several days Without a firm process for ensuring that all Customers are responsible for maintaining
media that is moved from a secured area of offsite tracking logs for all media. From media movements are approved before the control of any data stored outside of the
(including when media is distributed to examination of the logs and interviews with media is removed from secure areas, the Microsoft Azure environment.
individuals). responsible personnel, verify proper media would not be tracked or appropriately
management authorization is obtained protected, and its location would be
whenever media is moved from a secured unknown, leading to lost or stolen media.
area (including when media is distributed to
individuals).
9.7 Maintain strict control over the storage and 9.7 Obtain and examine the policy for Without careful inventory methods and Customers are responsible for maintaining
accessibility of media. controlling storage and maintenance of all storage controls, stolen or missing media control of any data stored outside of the
media and verify that the policy requires could go unnoticed for an indefinite amount Microsoft Azure environment.
periodic media inventories. of time.
If media is not inventoried, stolen or lost
media may not be noticed for a long time or Customers are responsible for maintaining
at all. control of any data stored outside of the
Microsoft Azure environment.
9.7.1 Properly maintain inventory logs of all media 9.7.1 Review media inventory logs to verify Customers are responsible for maintaining
and conduct media inventories at least annually. that logs are maintained and media control of any data stored outside of the
inventories are performed at least annually. Microsoft Azure environment.
9.8 Destroy media when it is no longer needed for 9.8 Examine the periodic media destruction If steps are not taken to destroy information Customers are responsible for maintaining
business or legal reasons as follows: policy and verify that it covers all media and contained on hard disks, portable drives, control of any data stored outside of the
defines requirements for the following: CD/DVDs, or paper prior to disposal, Microsoft Azure environment.
- Hard-copy materials must be crosscut malicious individuals may be able to retrieve
shredded, incinerated, or pulped such that information from the disposed media,
there is reasonable assurance the hard-copy leading to a data compromise. For example,
materials cannot be reconstructed. malicious individuals may use a technique
- Storage containers used for materials that known as “dumpster diving,” where they
are to be destroyed must be secured. search through trashcans and recycle bins
- Cardholder data on electronic media must looking for information they can use to
be rendered unrecoverable (e.g., via a secure launch an attack.
wipe program in accordance with industry- Securing storage containers used for
accepted standards for secure deletion, or by materials that are going to be destroyed
physically destroying the media). prevents sensitive information from being
captured while the materials are being
collected. For example, “to-be-shredded”
containers could have a lock preventing
access to its contents or physic ally prevent
access to the inside of the container.
Examples of methods for securely destroying
electronic media include secure wiping,
degaussing, or physical destruction (such as
grinding or shredding hard disks).
prevents sensitive information from being
captured while the materials are being
collected. For example, “to-be-shredded”
containers could have a lock preventing
access to its contents or physic ally prevent
access to the inside of the container.
Examples of methods for securely destroying
electronic media include secure wiping,
degaussing, or physical destruction (such as
grinding or shredding hard disks).
9.8.1 Shred, incinerate, or pulp hard-copy 9.8.1.a Interview personnel and examine Customers are responsible for maintaining
materials so that cardholder data cannot be procedures to verify that hard-copy materials control of any data stored outside of the
reconstructed. Secure storage containers used for are crosscut shredded, incinerated, or pulped Microsoft Azure environment.
materials that are to be destroyed. such that there is reasonable assurance the
hard-copy materials cannot be
reconstructed.
9.8.1.b Examine storage containers used for
materials that contain information to be
destroyed to verify that the containers are
secured.
9.8.2 Render cardholder data on electronic media 9.8.2 Verify that cardholder data on Data destruction techniques vary Not applicable Customers are resoponsible for securely
unrecoverable so that cardholder data cannot be electronic media is rendered unrecoverable depending on the type of data object being wiping any media stored on-premise,
reconstructed. via a secure wipe program in accordance destroyed, whether it be subscriptions, outside of the Microsoft Azure
with industry-accepted standards for secure storage, virtual machines, or databases. In environment.
deletion, or otherwise physically destroying the Microsoft Azure multi-tenant
the media). environment, careful attention is taken to
ensure that one customer’s data is not
allowed to either “leak” into another
customer’s data, or when a customer
deletes data, no other customer (including,
in most cases, the customer who once
owned the data) can gain access to that
deleted data.
Microsoft Azure follows NIST 800-88

Guidelines on Media Sanitization, which
address the principal concern of ensuring
that data is not unintentionally released.
These guidelines encompass both
electronic and physical sanitization.
9.9 Protect devices that capture payment card 9.9 Examine documented policies and Criminals attempt to steal cardholder data by Not applicable Not applicable Not applicable: applies to non-Azure-
data via direct physical interaction with the card procedures to verify they include: stealing and/or manipulating card-reading hosted CDE components.
from tampering and substitution. - Maintaining a list of devices devices and terminals. For example, they will
- Periodically inspecting devices to look for try to steal devices so they can learn how to
Note: These requirements apply to card-reading tampering or substitution break into them, and they often try to
devices used in card-present transactions (that is, - Training personnel to be aware of replace legitimate devices with fraudulent
card swipe or dip) at the point of sale. This suspicious behavior and to report tampering devices that send them payment card
requirement is not intended to apply to manual or substitution of devices. information every time a card is entered.
key-entry components such as computer Criminals will also try to add “skimming”
keyboards and POS keypads. components to the outside of devices, which
are designed to capture payment card details
before they even enter the device—for
example, by attaching an additional card
reader on top of the legitimate card reader
so that the payment card details are
captured twice: once by the criminal’s
component and then by the device’s
legitimate component. In this way,
transactions may still be completed without
interruption while the criminal is “skimming”
the payment card information during the
process.
This requirement is recommended, but not
required, for manual key-entry components
such as computer keyboards and POS
keypads.
Additional best practices on skimming
prevention are available on the PCI SSC
website.
9.9.1 Maintain an up-to-date list of devices. The 9.9.1.a Examine the list of devices to verify it Keeping an up-to-date list of devices helps an Not applicable Not applicable Not applicable: applies to non-Azure-
list should include the following: includes: organization keep track of where devices are hosted CDE components.
- Make, model of device - Make, model of device supposed to be, and quickly identify if a
- Location of device (for example, the address of - Location of device (for example, the address device is missing or lost.
the site or facility where the device is located) of the site or facility where the device is The method for maintaining a list of devices
- Device serial number or other method of unique located) may be automated (for example, a device-
identification. - Device serial number or other method of management system) or manual (for
unique identification. example, documented in electronic or paper
records). For on-the-road devices, the
location may include the name of the
9.9.1.b Select a sample of devices from the personnel to whom the device is assigned.
list and observe devices and device locations
to verify that the list is accurate and up to
date.
9.9.1.c Interview personnel to verify the list

of devices is updated when devices are
added, relocated, decommissioned, etc.
9.9.2 Periodically inspect device surfaces to detect 9.9.2.a Examine documented procedures to Regular inspections of devices will help Not applicable Not applicable Not applicable: applies to non-Azure-
tampering (for example, addition of card skimmers verify processes are defined to include the organizations to more quickly detect hosted CDE components.
to devices), or substitution (for example, by following: tampering or replacement of a device, and
checking the serial number or other device - Procedures for inspecting devices thereby minimize the potential impact of
characteristics to verify it has not been swapped - Frequency of inspections. using fraudulent devices.
with a fraudulent device). The type of inspection will depend on the
device—for example, photographs of devices
Note: Examples of signs that a device might have that are known to be secure can be used to
been tampered with or substituted include compare a device’s current appearance with
unexpected attachments or cables plugged into its original appearance to see whether it has
the device, missing or changed security labels, changed. Another option may be to use a
broken or differently colored casing, or changes to secure marker pen, such as a UV light
the serial number or other external markings. 9.9.2.b Interview responsible personnel and marker, to mark device surfaces and device
observe inspection processes to verify: openings so any tampering or replacement
- Personnel are aware of procedures for will be apparent. Criminals will often replace
inspecting devices. the outer casing of a device to hide their
- All devices are periodically inspected for tampering, and these methods may help to
evidence of tampering and substitution. detect such activities. Device vendors may
also be able to provide security guidance and
“how to” guides to help determine whether
the device has been tampered with.
The frequency of inspections will depend on
factors such as location of device and
whether the device is attended or
unattended. For example, devices left in
public areas without supervision by the
organization’s personnel may have more
frequent inspections than devices that are
kept in secure areas or are supervised when
they are accessible to the public. The type
and frequency of inspections is determined
by the merchant, as defined by their annual
risk-assessment process.
9.9.3 Provide training for personnel to be aware of 9.9.3.a Review training materials for Criminals will often pose as authorized Not applicable Not applicable Not applicable: applies to non-Azure-
attempted tampering or replacement of devices. personnel at point-of-sale locations to verify maintenance personnel in order to gain hosted CDE components.
Training should include the following: they include training in the following: access to POS devices. All third parties
- Verify the identity of any third-party persons - Verifying the identity of any third-party requesting access to devices should always
claiming to be repair or maintenance personnel, persons claiming to be repair or maintenance be verified before being provided access—for
prior to granting them access to modify or personnel, prior to granting them access to example, by checking with management or
troubleshoot devices. modify or troubleshoot devices phoning the POS maintenance company
- Do not install, replace, or return devices without - Not to install, replace, or return devices (such as the vendor or acquirer) for
verification. without verification verification. Many criminals will try to fool
- Be aware of suspicious behavior around devices - Being aware of suspicious behavior around personnel by dressing for the part (for
(for example, attempts by unknown persons to devices (for example, attempts by unknown example, carrying toolboxes and dressed in
unplug or open devices). persons to unplug or open devices) work wear), and could also be
- Report suspicious behavior and indications of - Reporting suspicious behavior and knowledgeable about locations of devices, so
device tampering or substitution to appropriate indications of device tampering or it’s important personnel are trained to follow
personnel (for example, to a manager or security substitution to appropriate personnel (for procedures at all times.
officer). example, to a manager or security officer). Another trick criminals like to use is to send a
“new” POS system with instructions for
swapping it with a legitimate system and
“returning” the legitimate system to a
specified address. The criminals may even
provide return postage as they are very keen
to get their hands on these devices.
9.9.3.b Interview a sample of personnel at Personnel always verify with their manager
point-of-sale locations to verify they have or supplier that the device is legitimate and
received training and are aware of the came from a trusted source before installing
procedures for the following: it or using it for business.
- Verifying the identity of any third-party
persons claiming to be repair or maintenance
personnel, prior to granting them access to
modify or troubleshoot devices
- Not to install, replace, or return devices
without verification
- Being aware of suspicious behavior around
devices (for example, attempts by unknown
persons to unplug or open devices)
- Reporting suspicious behavior and
indications of device tampering or
substitution to appropriate personnel (for
example, to a manager or security officer).
9.10 Ensure that security policies and operational 9.10 Examine documentation and interview Personnel need to be aware of and following Not applicable Customers are responsible for access Customers are responsible for access
procedures for restricting physical access to personnel to verify that security policies and security policies and operational procedures policies related to CHD. These policies policies related to CHD. These policies
cardholder data are documented, in use, and operational procedures for restricting for restricting physical access to cardholder apply to data extracted from Azure to a apply to data extracted from Azure to a
known to all affected parties. physical access to cardholder data are: data and CDE systems on a continuous basis. physical location or durable media at the physical location or durable media at the
- Documented, customer premise. customer premise.
- In use, and
Requirement 10: Track and monitor all access to network resources and cardholder data
Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. The presence of logs in all environments allows thorough tracking, alerting, and analysis when something does go wrong. Determining the cause of a compromise is very difficult, if not impossible, without system
activity logs.

10.1 Implement audit trails to link all access to 10.1 Verify, through observation and It is critical to have a process or system that Microsoft Azure restricts access to Customers are responsible for recording Customers are responsible for recording
system components to each individual user. interviewing the system administrator, that: links user access to system components administrative and diagnostic tools to and maintaining logs of all access by and maintaining logs of all access by
- Audit trails are enabled and active for system accessed. This system generates audit logs authorized personnel with relevant job individual users to their custom individual users to IaaS instances in their
components. and provides the ability to trace back responsibility. Microsoft Azure restricts applications built on in-scope PaaS services. CDE.
- Access to system components is linked to suspicious activity to a specific user. privileged access to the tools used in the
individual users. production environment based on least
privilege principles. Microsoft Azure
records and maintains a log of all individual
10.2 Implement automated audit trails for all 10.2 Through interviews of responsible Generating audit trails of suspect activities user access to Microsoft Azure system
system components to reconstruct the following personnel, observation of audit logs, and alerts the system administrator, sends data components in the platform environment.
events: examination of audit log settings, perform the to other monitoring mechanisms (like
following: intrusion detection systems), and provides a Microsoft Azure platform components
history trail for post-incident follow-up. (including OS, CloudNet, Fabric, etc.) are
Logging of the following events enables an configured to log and collect security
organization to identify and trace potentially events. Administrator activity in the
malicious activities Microsoft Azure platform is logged.
10.2.1 All individual user accesses to cardholder 10.2.1 Verify all individual access to cardholder Malicious individuals could obtain knowledge
data data is logged. of a user account with access to systems in
the CDE, or they could create a new,
unauthorized account in order to access
cardholder data. A record of all individual
accesses to cardholder data can identify
which accounts may have been compromised
or misused.
10.2.2 All actions taken by any individual with root 10.2.2 Verify all actions taken by any individual Accounts with increased privileges, such as
or administrative privileges with root or administrative privileges are the “administrator” or “root” account, have
logged. the potential to greatly impact the security or
operational functionality of a system.
Without a log of the activities performed, an
organization is unable to trace any issues
resulting from an administrative mistake or
misuse of privilege back to the specific action
and individual.
10.2.3 Access to all audit trails 10.2.3 Verify access to all audit trails is logged. Malicious users often attempt to alter audit
logs to hide their actions, and a record of
access allows an organization to trace any
inconsistencies or potential tampering of the
logs to an individual account. Having access
to logs identifying changes, additions, and
deletions can help retrace steps made by
unauthorized personnel.
10.2.4 Invalid logical access attempts 10.2.4 Verify invalid logical access attempts are Malicious individuals will often perform
logged. multiple access attempts on targeted
systems. Multiple invalid login attempts may
be an indication of an unauthorized user’s
attempts to “brute force” or guess a
password.
10.2 5 Use of and changes to identification and 10.2.5.a Verify use of identification and Without knowing who was logged on at the
authentication mechanisms—including but not authentication mechanisms is logged. time of an incident, it is impossible to identify
limited to creation of new accounts and elevation the accounts that may have been used.
of privileges—and all changes, additions, or 10.2.5.b Verify all elevation of privileges is Additionally, malicious users may attempt to
deletions to accounts with root or administrative logged. manipulate the authentication controls with
privileges 10.2.5.c Verify all changes, additions, or the intent of bypassing them or
deletions to any account with root or impersonating a valid account.
administrative privileges are logged.
10.2.6 Initialization, stopping, or pausing of the 10.2.6 Verify the following are logged: Turning the audit logs off (or pausing them)
audit logs - Initialization of audit logs prior to performing illicit activities is a
- Stopping or pausing of audit logs. common practice for malicious users wishing
to avoid detection. Initialization of audit logs
could indicate that the log function was
disabled by a user to hide their actions.
10.2.7 Creation and deletion of system-level 10.2.7 Verify creation and deletion of system Malicious software, such as malware, often
objects level objects are logged. creates or replaces system level objects on
the target system in order to control a
particular function or operation on that
system. By logging when system-level
objects, such as database tables or stored
procedures, are created or deleted, it will be
easier to determine whether such
modifications were authorized.
10.3 Record at least the following audit trail 10.3 Through interviews and observation of By recording these details for the auditable Microsoft Azure has established procedures Customers are responsible for tracking Customers are responsible for tracking
entries for all system components for each event: audit logs, for each auditable event (from events at 10.2, a potential compromise can to synchronize servers and network devices changes to authentication or identification changes to authentication or identification
10.2), perform the following: be quickly identified, and with sufficient in the Microsoft Azure environment with methods, events recorded for audit, methods, events recorded for audit,
detail to know who, what, where, when, and NTP Stratum 1 time servers synchronized to stopping of audit trails, affected data and stopping of audit trails, affected data and
how. Global Positioning System (GPS) satellites. other events occuring in their custom other events in their CDE.
10.3.1 User identification 10.3.1 Verify user identification is included in Synchronization is performed automatically applications built on in-scope PaaS services.
log entries. every five minutes. Microsoft Azure is
responsible for ensuring service hosts
properly sync time.
By recording these details for the auditable Microsoft Azure has established procedures Customers are responsible for tracking Customers are responsible for tracking
events at 10.2, a potential compromise can to synchronize servers and network devices changes to authentication or identification changes to authentication or identification
be quickly identified, and with sufficient in the Microsoft Azure environment with methods, events recorded for audit, methods, events recorded for audit,
detail to know who, what, where, when, and NTP Stratum 1 time servers synchronized to stopping of audit trails, affected data and stopping of audit trails, affected data and
how. Global Positioning System (GPS) satellites. other events occuring in their custom other events in their CDE.
Synchronization is performed automatically applications built on in-scope PaaS services.
every five minutes. Microsoft Azure is
responsible for ensuring service hosts
10.3.2 Type of event 10.3.2 Verify type of event is included in log properly sync time.
entries.
10.3.3 Date and time 10.3.3 Verify date and time stamp is included
in log entries.
10.3.4 Success or failure indication 10.3.4 Verify success or failure indication is
included in log entries.
10.3.5 Origination of event 10.3.5 Verify origination of event is included in
log entries.
10.3.6 Identity or name of affected data, system 10.3.6 Verify identity or name of affected data,
component, or resource. system component, or resources is included in
log entries.
10.4 Using time-synchronization technology, 10.4 Examine configuration standards and Time synchronization technology is used to Microsoft Azure has established procedures Not applicable Customers are responsible for ensuring
synchronize all critical system clocks and times and processes to verify that time-synchronization synchronize clocks on multiple systems. to synchronize servers and network devices that all in-scope IaaS instances synchronize
ensure that the following is implemented for technology is implemented and kept current When clocks are not properly synchronized, in the Microsoft Azure environment with critical system clocks and times with an
acquiring, distributing, and storing time. per PCI DSS Requirements 6.1 and 6.2. it can be difficult, if not impossible, to NTP Stratum 1 time servers synchronized to external, approved time source. Customers
compare log files from different systems and Global Positioning System (GPS) satellites. may use the Azure platform hypervisor
Note: One example of time synchronization establish an exact sequence of event (crucial Synchronization is performed automatically hosts as an authoritative time source.
technology is Network Time Protocol (NTP). for forensic analysis in the event of a breach). every five minutes. Microsoft Azure is
10.4.1 Critical systems have the correct and 10.4.1.a Examine the process for acquiring, For post-incident forensics teams, the responsible for ensuring service hosts
consistent time. distributing and storing the correct time within accuracy and consistency of time across all properly sync time.
the organization to verify that: systems and the time of each activity is
- Only the designated central time server(s) critical in determining how the systems were
receives time signals from external sources, compromised.
and time signals from external sources are
based on International Atomic Time or UTC.
- Where there is more than one designated
time server, the time servers peer with one
another to keep accurate time,
- Systems receive time information only from
designated central time server(s).
10.4.1.b Observe the time-related system-

parameter settings for a sample of system
components to verify:
- Only the designated central time server(s)
receives time signals from external sources,
and time signals from external sources are
based on International Atomic Time or UTC.
- Where there is more than one designated
time server, the designated central time
server(s) peer with one another to keep
accurate time.
- Systems receive time only from designated
central time server(s).
10.4.2 Time data is protected. 10.4.2.a Examine system configurations and

time-synchronization settings to verify that
access to time data is restricted to only
personnel with a business need to access time
data.
10.4.2.b Examine system configurations, time

synchronization settings and logs, and
processes to verify that any changes to time
settings on critical systems are logged,
monitored, and reviewed.
10.4.3 Time settings are received from industry- 10.4.3 Examine systems configurations to
accepted time sources. verify that the time server(s) accept time
updates from specific, industry-accepted
external sources (to prevent a malicious
individual from changing the clock). Optionally,
those updates can be encrypted with a
symmetric key, and access control lists can be
created that specify the IP addresses of client
machines that will be provided with the time
updates (to prevent unauthorized use of
internal time servers).
10.5 Secure audit trails so they cannot be altered. 10.5 Interview system administrators and Often a malicious individual who has entered FIM and IDS tools are implemented within Customers are responsible for ensuring any Customers are responsible for ensuring any
examine system configurations and the network will attempt to edit the audit the Microsoft Azure environment. externally-available applications have logs externally-available applications have logs
permissions to verify that audit trails are logs in order to hide their activity. Without Microsoft Azure supports real-time analysis written to a centralized, internal log server, written to a centralized, internal log server,
secured so that they cannot be altered as adequate protection of audit logs, their of events within its operational which has FIM coverage. which has FIM coverage.
follows: completeness, accuracy, and integrity cannot environment. MAs and AIMS generate near
be guaranteed, and the audit logs can be real-time alerts about events that could
rendered useless as an investigation tool potentially compromise the system.
after a compromise.
Logging of service, user and security events
(web server logs, FTP server logs, etc.) is
10.5.1 Limit viewing of audit trails to those with a 10.5.1 Only individuals who have a job-related Adequate protection of the audit logs enabled and retained centrally. Azure
job-related need. need can view audit trail files. includes strong access control (limit access to restricts access to audit logs to authorized
logs based on “need to know” only), and use personnel based on job responsibilities.
10.5.2 Protect audit trail files from unauthorized 10.5.2 Current audit trail files are protected of physical or network segregation to make Event logs are archived on the Azure secure
modifications. from unauthorized modifications via access the logs harder to find and modify. archival infrastructure and are retained for
control mechanisms, physical segregation, Promptly backing up the logs to a centralized 180 days.
and/or network segregation. log server or media that is difficult to alter
keeps the logs protected even if the system
10.5.3 Promptly back up audit trail files to a 10.5.3 Current audit trail files are promptly generating the logs becomes compromised.
centralized log server or media that is difficult to backed up to a centralized log server or media
alter. that is difficult to alter.
personnel based on job responsibilities.
Event logs are archived on the Azure secure
archival infrastructure and are retained for
180 days.
10.5.4 Write logs for external-facing technologies 10.5.4 Logs for external-facing technologies By writing logs from external-facing
onto a secure, centralized, internal log server or (for example, wireless, firewalls, DNS, mail) are technologies such as wireless, firewalls, DNS,
media device. written onto a secure, centralized, internal log and mail servers, the risk of those logs being
server or media. lost or altered is lowered, as they are more
secure within the internal network.
Logs may be written directly, or offloaded or
copied from external systems, to the secure
internal system or media.
10.5.5 Use file-integrity monitoring or change- 10.5.5 Examine system settings, monitored File-integrity monitoring or change-detection
detection software on logs to ensure that existing files, and results from monitoring activities to systems check for changes to critical files,
log data cannot be changed without generating verify the use of file-integrity monitoring or and notify when such changes are noted. For
alerts (although new data being added should not change-detection software on logs. file-integrity monitoring purposes, an entity
cause an alert). usually monitors files that don’t regularly
change, but when changed indicate a
possible compromise.
10.6 Review logs and security events for all system 10.6 Perform the following: Many breaches occur over days or months
components to identify anomalies or suspicious before being detected. Checking logs daily
activity. minimizes the amount of time and exposure
of a potential breach.
Note: Log harvesting, parsing, and alerting tools Regular log reviews by personnel or
may be used to meet this Requirement. automated means can identify and
proactively address unauthorized access to
the cardholder data environment.
The log review process does not have to be
manual. The use of log harvesting, parsing,
and alerting tools can help facilitate the
process by identifying log events that need to
be reviewed.
10.6 Review logs and security events for all system 10.6 Perform the following: Many breaches occur over days or months FIM and IDS tools are implemented within Customers are responsible for reviewing Customers are responsible for reviewing
components to identify anomalies or suspicious before being detected. Regular log reviews the Microsoft Azure environment. available logs and security events for all in- logs and security events for all in-scope
activity. by personnel or automated means can Microsoft Azure supports real-time analysis scope PaaS services to identify anomalies IaaS instances and applications to identify
identify and proactively address of events within its operational or suspicious activity. anomalies or suspicious activity.
Note: Log harvesting, parsing, and alerting tools unauthorized access to the cardholder data environment. MAs and AIMS generate near
may be used to meet this Requirement. environment. real-time alerts about events that could
The log review process does not have to be potentially compromise the system.
manual. The use of log harvesting, parsing,
and alerting tools can help facilitate the Logging of service, user and security events
process by identifying log events that need to (web server logs, FTP server logs, etc.) is
be reviewed. enabled and retained centrally. Azure
restricts access to audit logs to authorized
personnel based on job responsibilities.
10.6.1 Review the following at least daily: 10.6.1.a Examine security policies and Checking logs daily minimizes the amount of Event logs are archived on the Azure secure
- All security events procedures to verify that procedures are time and exposure of a potential breach. archival infrastructure and are retained for
- Logs of all system components that store, defined for reviewing the following at least Daily review of security events—for example, 180 days.
process, or transmit CHD and/or SAD daily, either manually or via log tools: notifications or alerts that identify suspicious
- Logs of all critical system components - All security events or anomalous activities—as well as logs from
- Logs of all servers and system components that - Logs of all system components that store, critical system components, and logs from
perform security functions (for example, firewalls, process, or transmit CHD and/or SAD systems that perform security functions, such
intrusion-detection systems/intrusion-prevention - Logs of all critical system components as firewalls, IDS/IPS, file-integrity monitoring
systems (IDS/IPS), authentication servers, e- - Logs of all servers and system components (FIM) systems, etc. is necessary to identify
commerce redirection servers, etc.). that perform security functions (for example, potential issues. Note that the determination
firewalls, intrusion-detection of “security event” will vary for each
systems/intrusion-prevention systems organization and may include consideration
(IDS/IPS), authentication servers, e-commerce for the type of technology, location, and
redirection servers, etc.) function of the device. Organizations may
also wish to maintain a baseline of “normal”
traffic to help identify anomalous behavior.
10.6.1.b Observe processes and interview
personnel to verify that the following are
reviewed at least daily:
- All security events
- Logs of all system components that store,
process, or transmit CHD and/or SAD
- Logs of all critical system components
- Logs of all servers and system components
that perform security functions (for example,
firewalls, intrusion-detection
systems/intrusion-prevention systems
(IDS/IPS), authentication servers, e-commerce
redirection servers, etc.).
10.6.2 Review logs of all other system components 10.6.2.a Examine security policies and Logs for all other system components should
periodically based on the organization’s policies procedures to verify that procedures are also be periodically reviewed to identify
and risk management strategy, as determined by defined for reviewing logs of all other system indications of potential issues or attempts to
the organization’s annual risk assessment. components periodically—either manually or gain access to sensitive systems via less-
via log tools—based on the organization’s sensitive systems. The frequency of the
policies and risk management strategy. reviews should be determined by an entity’s
annual risk assessment.
10.6.2.b Examine the organization’s risk-

assessment documentation and interview
personnel to verify that reviews are performed
in accordance with organization’s policies and
risk management strategy.
10.6.3 Follow up exceptions and anomalies 10.6.3.a Examine security policies and If exceptions and anomalies identified during
identified during the review process. procedures to verify that procedures are the log-review process are not investigated,
defined for following up on exceptions and the entity may be unaware of unauthorized
anomalies identified during the review process. and potentially malicious activities that are
occurring within their own network.
10.6.3.b Observe processes and interview
personnel to verify that follow-up to
exceptions and anomalies is performed.
10.7 Retain audit trail history for at least one year, 10.7.a Examine security policies and Retaining logs for at least a year allows for Microsoft Azure retains audit logs for one Customers are responsible for ensuring logs Customers are responsible for ensuring logs
with a minimum of three months immediately procedures to verify that they define the the fact that it often takes a while to notice year, with the most recent 3 months under their control are retained and under their control are retained and
available for analysis (for example, online, following: that a compromise has occurred or is immediately accessible through their accessible for the required time periods. accessible for the required time periods.
archived, or restorable from backup). - Audit log retention policies occurring, and allows investigators sufficient internal portal.
- Procedures for retaining audit logs for at least log history to better determine the length of
one year, with a minimum of three months time of a potential breach and potential
immediately available online. system(s) impacted. By having three months
of logs immediately available, an entity can
quickly identify and minimize impact of a
10.7.b Interview personnel and examine audit data breach. Storing logs in off-line locations
logs to verify that audit logs are available for at could prevent them from being readily
least one year. available, resulting in longer time frames to
restore log data, perform analysis, and
10.7.c Interview personnel and observe identify impacted systems or data.
processes to verify that at least the last three
months’ logs can be immediately restored for
analysis.
10.8 Additional requirement for service providers 10.8.a Examine documented policies and Note: This requirement applies only when Microsoft Azure supports real-time analysis Customers are responsible for their polices Customers are responsible for their polices
only: Implement a process for the timely detection procedures to verify that processes are defined the entity being assessed is a service of events within its operational and procedures for detecting failures of and procedures for detecting failures of
and reporting of failures of critical security control for the timely detection and reporting of provider. environment. MAs and AIMS generate near critical security controls. critical security controls.
systems, including but not limited to failure of: failures of critical security control systems, real-time alerts about events that could
- Firewalls including but not limited to failure of: Without formal processes to detect and alert potentially compromise the system.
- IDS/IPS -Firewalls when critical security controls fail, failures
- FIM - IDS/IPS may go undetected for extended periods and
- Anti-virus - FIM provide attackers ample time to compromise
- Physical access controls - Anti-virus systems and steal sensitive data from the
- Logical access controls - Physical access controls cardholder data
- Audit logging mechanisms - Logical access controls environment.
- Segmentation controls (if used) - Audit logging mechanisms The specific types of failures may vary
- Segmentation controls (if used) depending on the function of the device and
technology in use. Typical failures include a
system ceasing to perform its security
function or not functioning in
its intended manner; for example, a firewall
erasing all its rules or going offline.
10.8.b Examine detection and alerting
processes and interview personnel to verify
that processes are implemented for all critical
security controls, and that failure of a critical
security control results in the generation of an
alert.
10.8.1 Additional requirement for service 10.8.1.a Examine documented policies and Note: This requirement applies only when
providers only: Respond to failures of any critical procedures and interview personnel to verify the entity being assessed is a service
security controls in a timely manner. Processes for processes are defined and implemented to provider.
responding to failures in security controls must respond to a security control failure, and If critical security control failures alerts are
include: include: not quickly and effectively responded to,
- Restoring security functions - Restoring security functions attackers may use this time to insert
- Identifying and documenting the duration (date - Identifying and documenting the duration malicious software, gain control of a system,
and time start to end) of the security failure (date and time start to end) of the security or steal data from the entity’s environment.
- Identifying and documenting cause(s) of failure, failure Documented evidence (e.g., records within a
including root cause, and documenting - Identifying and documenting cause(s) of problem management system) should
remediation required to address root cause failure, including root cause, and documenting support that processes and procedures are in
- Identifying and addressing any security issues remediation required to place to respond
that arose during the failure address root cause to security failures. In addition, personnel
- Performing a risk assessment to determine - Identifying and addressing any security issues should be aware of their responsibilities in
whether further actions are required as a result of that arose during the failure the event of a
the security failure - Performing a risk assessment to determine failure. Actions and responses to the failure
- Implementing controls to prevent cause of whether further actions are required as a should be captured in the documented
failure from reoccurring result of the security failure evidence.
-Resuming monitoring of security controls - Implementing controls to prevent cause of
failure from reoccurring
- Resuming monitoring of security controls
10.8.1.b Examine records to verify that security

control failures are documented to include:
- Identification of cause(s) of the failure,
including root cause
- Duration (date and time start and end) of the
security failure
- Details of the remediation required to
address the root cause
10.9 Ensure that security policies and operational 10.9 Examine documentation and interview Personnel need to be aware of and following Not applicable Customers are responsible for creating and Customers are responsible for creating and
procedures for monitoring all access to network personnel to verify that security policies and security policies and daily operational maintaining policies for monitoring all maintaining policies for monitoring all
resources and cardholder data are documented, in operational procedures for monitoring all procedures for monitoring all access to access to cardholder data. access to cardholder data.
use, and known to all affected parties. access to network resources and cardholder network resources and cardholder data on a
data are: continuous basis.
- Documented,
- In use, and
Requirement 11: Regularly test security systems and processes.
Vulnerabilities are being discovered continually by malicious individuals and researchers, and being introduced by new software. System components, processes, and custom software should be tested frequently to ensure security controls continue to reflect a changing environment.

11.1 Implement processes to test for the presence 11.1.a Examine policies and procedures to Implementation and/or exploitation of Azure does not permit or allow wireless Not applicable Not applicable
of wireless access points (802.11), and detect and verify processes are defined for detection and wireless technology within a network are connections in the Azure network
identify all authorized and unauthorized wireless identification of both authorized and some of the most common paths for environment. Internal security teams
access points on a quarterly basis. unauthorized wireless access points on a malicious users to gain access to the network regularly scans for rogue wireless signals on
quarterly basis. and cardholder data. If a wireless device or a quarterly basis and rogue signals are
Note: Methods that may be used in the process network is installed without a company’s investigated and removed. Customers are
include but are not limited to wireless network 11.1.b Verify that the methodology is adequate knowledge, it can allow an attacker to easily not permitted to deploy wireless
scans, physical/logical inspections of system to detect and identify any unauthorized and “invisibly” enter the network. technology in the Azure environment.
components and infrastructure, network access wireless access points, including at least the Unauthorized wireless devices may be
control (NAC), or wireless IDS/IPS. following: hidden within or attached to a computer or
- WLAN cards inserted into system other system component, or be attached
Whichever methods are used, they must be components directly to a network port or network device,
sufficient to detect and identify both authorized - Portable or mobile devices attached to such as a switch or router. Any such
and unauthorized devices. system components to create a wireless access unauthorized device could result in an
point (for example, by USB, etc.) unauthorized access point into the
- Wireless devices attached to a network port environment.
or network device. Knowing which wireless devices are
authorized can help administrators quickly
identify non-authorized wireless devices, and
11.1.c If wireless scanning is utilized, examine responding to the identification of
output from recent wireless scans to verify unauthorized wireless access points helps to
that: proactively minimize the exposure of CDE to
- Authorized and unauthorized wireless access malicious individuals.
points are identified, and Due to the ease with which a wireless access
- The scan is performed at least quarterly for point can be attached to a network, the
all system components and facilities. difficulty in detecting their presence, and the
increased risk presented by unauthorized
wireless devices, these processes must be
11.1.d If automated monitoring is utilized (for performed even when a policy exists
example, wireless IDS/IPS, NAC, etc.), verify the prohibiting the use of wireless technology.
configuration will generate alerts to notify The size and complexity of a particular
personnel. environment will dictate the appropriate
tools and processes to be used to provide
sufficient assurance that a rogue wireless
11.1.1 Maintain an inventory of authorized 11.1.1 Examine documented records to verify access point has not been installed in the
wireless access points including a documented that an inventory of authorized wireless access environment.
business justification. points is maintained and a business For example: In the case of a single
justification is documented for all authorized standalone retail kiosk in a shopping mall,
wireless access points. where all communication components are
contained within tamper-resistant and
tamper-evident casings, performing a
detailed physical inspection of the kiosk itself
may be sufficient to provide assurance that a
rogue wireless access point has not been
attached or installed. However, in an
environment with multiple nodes (such as in
a large retail store, call center, server room
or data center), detailed physical inspection
is difficult. In this case, multiple methods may
be combined to meet the requirement, such
as performing physical system inspections in
conjunction with the results of a wireless
analyzer.
11.1.2 Implement incident response procedures in 11.1.2.a Examine the organization’s incident
the event unauthorized wireless access points are response plan (Requirement 12.10) to verify it
detected. defines and requires a response in the event
that an unauthorized wireless access point is
detected.
11.1.2.b Interview responsible personnel

and/or inspect recent wireless scans and
related responses to verify action is taken
when unauthorized wireless access points are
found.
11.2 Run internal and external network 11.2 Examine scan reports and supporting A vulnerability scan is a combination of Azure performs quarterly internal and Customers are responsible for performing Customers are responsible for performing
vulnerability scans at least quarterly and after any documentation to verify that internal and automated or manual tools, techniques, external vulnerability scans. Scans are quarterly internal and external vulnerability quarterly internal and external vulnerability
significant change in the network (such as new external vulnerability scans are performed as and/or methods run against external and performed by qualified personnel. scans and rescans as needed against all scans and rescans as needed against all
system component installations, changes in follows: internal network devices and servers, PaaS instances in their CDE. IaaS instances in their CDE.
network topology, firewall rule modifications, designed to expose potential vulnerabilities
product upgrades). that could be found and exploited by Scan scope should be accessible service Scan scope should include all in-scope IaaS
malicious individuals. endpoints under the management of the instances.
Note: Multiple scan reports can be combined for There are three types of vulnerability customer, not the underlying service
the quarterly scan process to show that all systems scanning required for PCI DSS: infrastructure.
were scanned and all applicable vulnerabilities - Internal quarterly vulnerability scanning by
have been addressed. Additional documentation qualified personnel (use of a PCI SSC
may be required to verify non-remediated Approved Scanning Vendor (ASV) is not
vulnerabilities are in the process of being required)
addressed. - External quarterly vulnerability scanning,
For initial PCI DSS compliance, it is not required which must be performed by an ASV
that four quarters of passing scans be completed if - Internal and external scanning as needed
the assessor verifies 1) the most recent scan result after significant changes
was a passing scan, 2) the entity has documented Once these weaknesses are identified, the
policies and procedures requiring quarterly entity corrects them and repeats the scan
scanning, and 3) vulnerabilities noted in the scan until all vulnerabilities have been corrected.
results have been corrected as shown in a re- Identifying and addressing vulnerabilities in a
scan(s). For subsequent years after the initial PCI timely manner reduces the likelihood of a
DSS review, four quarters of passing scans must vulnerability being exploited and potential
have occurred. compromise of a system component or
cardholder data.
11.2.1 Perform quarterly internal vulnerability 11.2.1.a Review the scan reports and verify An established process for identifying Microsoft Azure performs scans for Customers are responsible for performing Customers are responsible for performing
scans and rescans as needed, until all “high-risk” that four quarterly internal scans occurred in vulnerabilities on internal systems requires vulnerabilities on in-scope underlying quarterly internal vulnerability scans and quarterly internal vulnerability scans and
vulnerabilities (as identified in Requirement 6.1) the most recent 12-month period. that vulnerability scans be conducted infrastructure. Micorsoft Azure implements rescans as needed against all PaaS rescans as needed against all IaaS instances
are resolved. Scans must be performed by quarterly. Vulnerabilities posing the greatest vulnerability scanning on server operating instances in their CDE. in their CDE.
qualified personnel. risk to the environment (for example, ranked systems, databases, and network devices
11.2.1.b Review the scan reports and verify “High” per Requirement 6.1) should be with the appropriate vulnerability scanning
that the scan process includes rescans until all resolved with the highest priority. tools. Azure web applications are scanned
“high-risk” vulnerabilities as defined in PCI DSS with appropriate industry scanning
Requirement 6.1 are resolved. Internal vulnerability scans can be performed solutions. Vulnerability scans are
by qualified, internal staff that are performed on a quarterly basis.
11.2.1.c Interview personnel to verify that the reasonably independent of the system
scan was performed by a qualified internal component(s) being scanned (for example, a Rescans are performed as needed against
resource(s) or qualified external third party, firewall administrator should not be all systems, until all “high-risk”
and if applicable, organizational independence responsible for scanning the firewall), or an vulnerabilities (as identified in Requirement
of the tester exists (not required to be a QSA entity may choose to have internal 6.1) are resolved.
or ASV). vulnerability scans performed by a firm
specializing in vulnerability scanning.
11.2.2 Perform quarterly external vulnerability 11.2.2.a Review output from the four most As external networks are at greater risk of Microsoft Azure performs external scans Customers are responsible for performing Customers are responsible for performing
scans, via an Approved Scanning Vendor (ASV) recent quarters of external vulnerability scans compromise, quarterly external vulnerability for vulnerabilities on in-scope underlying quarterly external vulnerability scans and quarterly external vulnerability scans and
approved by the Payment Card Industry Security and verify that four quarterly external scanning must be performed by a PCI SSC infrastructure that is accessible externally. rescans as needed against all PaaS rescans as needed against all IaaS instances
Standards Council (PCI SSC). Perform rescans as vulnerability scans occurred in the most recent Approved Scanning Vendor (ASV). Scans are performed by an Approved Scan instances in their CDE, using an Approved in their CDE, using an Approved Scanning
needed, until passing scans are achieved. 12-month period. Vendor (ASV). Scanning Vendor (ASV) approved by the Vendor (ASV) approved by the Payment
A robust scanning program ensures that Payment Card Industry Security Standards Card Industry Security Standards Council.
Note: Quarterly external vulnerability scans must scans are performed and vulnerabilities Microsoft Azure subscribes to MSRC/OSSC Council.
be performed by an Approved Scanning Vendor addressed in a timely manner. monthly patch notifications and scans for Prior to initiating an external scan against
(ASV), approved by the Payment Card Industry vulnerabilities at least quarterly. Identified Prior to initiating an external scan against the Microsoft Azure environment,
Security Standards Council (PCI SSC). Refer to the 11.2.2.b Review the results of each quarterly vulnerabilities are evaluated and the Microsoft Azure environment, permission must be requested from
ASV Program Guide published on the PCI SSC scan and rescan to verify that the ASV Program remediated per established timeline based permission must be requested from Microsoft Azure.
website for scan customer responsibilities, scan Guide requirements for a passing scan have on the level of risk. Microsoft Azure.
preparation, etc. been met (for example, no vulnerabilities rated
4.0 or higher by the CVSS, and no automatic Each quarter targeted comprehensive
failures). security vulnerability scanning against
prioritized components of the Microsoft
11.2.2.c Review the scan reports to verify that Azure environment is performed to identify
the scans were completed by a PCI SSC security vulnerabilities.
Approved Scanning Vendor (ASV).
11.2.3 Perform internal and external scans, and 11.2.3.a Inspect and correlate change control The determination of what constitutes a Results are reported to stakeholders and Customers are responsible for performing Customers are responsible for performing
rescans as needed, after any significant change. documentation and scan reports to verify that significant change is highly dependent on the remediation is tracked by the Azure quarterly internal and external vulnerability quarterly internal and external vulnerability
Scans must be performed by qualified personnel. system components subject to any significant configuration of a given environment. If an Security Team team through closure. Azure scans and rescans as needed against all scans and rescans as needed against all
change were scanned. upgrade or modification could allow access test results may be shared with customers PaaS instances in their CDE. Scans should IaaS instances in their CDE. Scans should be
to cardholder data or affect the security of under NDA. be performed after significant changes in performed after significant changes in the
the cardholder data environment, then it the in-scope environment. in-scope environment.
11.2.3.b Review scan reports and verify that could be considered significant.
the scan process includes rescans until: Scanning an environment after any Scans must be performed by an ASV or Scans must be performed by an ASV or
- For external scans, no vulnerabilities exist significant changes are made ensures that personnel with organizational personnel with organizational
that are scored 4.0 or higher by the CVSS. changes were completed appropriately such independence. independence.
- For internal scans, all “high-risk” that the security of the environment was not
vulnerabilities as defined in PCI DSS compromised as a result of the change. All
Requirement 6.1 are resolved. system components affected by the change
will need to be scanned.
11.2.3.c Validate that the scan was performed

by a qualified internal resource(s) or qualified
external third party, and if applicable,
organizational independence of the tester
exists (not required to be a QSA or ASV).
11.3 Implement a methodology for penetration 11.3 Examine penetration-testing methodology The intent of a penetration test is to simulate Microsoft Azure validates services using Customers are responsible for Customers are responsible for
testing that includes the following: and interview responsible personnel to verify a a real-world attack situation with a goal of third party penetration testing based upon implementing a penetration testing implementing a penetration testing
- Is based on industry-accepted penetration methodology is implemented that includes the identifying how far an attacker would be able the OWASP (Open Web Application methodology that meets current PCI DSS methodology that meets current PCI DSS
testing approaches (for example, NIST SP800-115) following: to penetrate into an environment. This Security Project) top ten using CREST- standard requirements. All PaaS instances standard requirements. All IaaS instances in
- Includes coverage for the entire CDE perimeter - Is based on industry-accepted penetration allows an entity to gain a better certified testers. The results of testing are in the CDE are considered in scope and the CDE are considered in scope and
and critical systems testing approaches (for example, NIST SP800- understanding of their potential exposure tracked through a risk register, which is testing must occur at least annually. testing must occur at least annually.
- Includes testing from both inside and outside the 115) and develop a strategy to defend against audited and reviewed on a regular basis to
network - Includes coverage for the entire CDE attacks. ensure compliance to security practices.
- Includes testing to validate any segmentation perimeter and critical systems A penetration test differs from a vulnerability
and scope-reduction controls - Testing from both inside and outside the scan, as a penetration test is an active Microsoft also uses Red Teaming against
- Defines application-layer penetration tests to network process that may include exploiting identified Microsoft-managed infrastructure, services
include, at a minimum, the vulnerabilities listed in - Includes testing to validate any segmentation vulnerabilities. Conducting a vulnerability and applications. No end-customer data is
Requirement 6.5 and scope-reduction controls scan may be one of the first steps a deliberately targeted during Red Teaming
- Defines network-layer penetration tests to - Defines application-layer penetration tests to penetration tester will perform in order to and live site penetration testing. The tests
include components that support network include, at a minimum, the vulnerabilities plan the testing strategy, although it is not are against Microsoft Azure infrastructure
functions as well as operating systems listed in Requirement 6.5 the only step. Even if a vulnerability scan and platforms as well as Microsoft’s own
- Includes review and consideration of threats and - Defines network-layer penetration tests to does not detect known vulnerabilities, the applications and data. Customer tenants,
vulnerabilities experienced in the last 12 months include components that support network penetration tester will often gain enough applications and data hosted in Azure are
- Specifies retention of penetration testing results functions as well as operating systems knowledge about the system to identify never targeted.
and remediation activities results. - Includes review and consideration of threats possible security gaps.
and vulnerabilities experienced in the last 12 Penetration testing is generally a highly Microsoft Azure has employed an
months manual process. While some automated independent assessor to develop a system
- Specifies retention of penetration testing tools may be used, the tester uses their assessment plan and conduct a controls
results and remediation activities results. knowledge of systems to penetrate into an assessment. Controls assessments are
environment. Often the tester will chain performed annually and the results are
several types of exploits together with a goal reported to relevant parties.
of breaking through layers of defenses. For
example, if the tester finds a means to gain
access to an application server, they will then
use the compromised server as a point to
stage a new attack based on the resources
the server has access to. In this way, a tester
is able to simulate the methods performed
by an attacker to identify areas of potential
weakness in the environment. Penetration
testing techniques will be different for
different organizations, and the type, depth,
11.3.1 Perform external penetration testing at 11.3.1.a Examine the scope of work and results Penetration testing conducted on a regular Customers are responsible for Customers are responsible for
least annually and after any significant from the most recent external penetration test basis and after significant changes to the implementing a penetration testing implementing a penetration testing
infrastructure or application upgrade or to verify that penetration testing is performed environment is a proactive security measure methodology that meets current PCI DSS methodology that meets current PCI DSS
modification (such as an operating system as follows: that helps minimize potential access to the standard requirements. All PaaS instances standard requirements. All IaaS instances in
upgrade, a sub-network added to the - Per the defined methodology CDE by malicious individuals. in the CDE are considered in scope and the CDE are considered in scope and
environment, or a web server added to the - At least annually The determination of what constitutes a testing must occur at least annually. testing must occur at least annually.
environment). - After any significant changes to the significant upgrade or modification is highly
environment. dependent on the configuration of a given
environment. If an upgrade or modification
could allow access to cardholder data or
11.3.1.b Verify that the test was performed by affect the security of the cardholder data
a qualified internal resource or qualified environment, then it could be considered
external third party, and if applicable, significant. Performing penetration tests
organizational independence of the tester after network upgrades and modifications
exists (not required to be a QSA or ASV). provides assurance that the controls
assumed to be in place are still working
effectively after the upgrade or modification.
11.3.2 Perform internal penetration testing at 11.3.2.a Examine the scope of work and results Microsoft Azure contracts with Customers are responsible for performing Customers are responsible for performing
least annually and after any significant from the most recent internal penetration test independent assessors to perform internal penetration testing of PaaS internal penetration testing of IaaS
infrastructure or application upgrade or to verify that penetration testing is performed penetration testing of the Microsoft Azure instances in the CDE at least annually and instances in the CDE at least annually and
modification (such as an operating system as follows. boundary. Red-Team exercises are also after any significant infrastructure or after any significant infrastructure or
upgrade, a sub-network added to the -Per the defined methodology routinely performed and results used to application upgrade or modification (such application upgrade or modification (such
environment, or a web server added to the - At least annually make security improvements. as a sub-network added to the as an operating system upgrade, a sub-
environment). - After any significant changes to the environment, or a web server added to the network added to the environment, or a
environment. environment). web server added to the environment).
11.3.2.b Verify that the test was performed by

a qualified internal resource or qualified
external third party, and if applicable,
organizational independence of the tester
11.3.3 Exploitable vulnerabilities found during 11.3.3 Examine penetration testing results to Procedures have been established to Customers are responsible for ensuring Customers are responsible for ensuring
penetration testing are corrected and testing is verify that noted exploitable vulnerabilities monitor the Microsoft Azure platform vulnerabilities found during penetration vulnerabilities found during penetration
repeated to verify the corrections. were corrected and that repeated testing components for known security testing are corrected and testing is testing are corrected and testing is
confirmed the vulnerability was corrected. vulnerabilities. repeated to verify the corrections. repeated to verify the corrections.
Each quarter targeted comprehensive

security vulnerability scanning against
11.3.4 If segmentation is used to isolate the CDE 11.3.4.a Examine segmentation controls and Penetration testing is an important tool to prioritized components of the Azure Customers are responsible for validating Customers are responsible for validating
from other networks, perform penetration tests at review penetration-testing methodology to confirm that any segmentation in place to production environment is performed to segmentation for PaaS instances configured segmentation configured using Microsoft
least annually and after any changes to verify that penetration-testing procedures are isolate the CDE from other networks is identify security vulnerabilities. Results are using Microsoft Azure networking controls. Azure networking controls for in-scope
segmentation controls/methods to verify that the defined to test all segmentation methods to effective. The penetration testing should reported to stakeholders and remediation customer-managed infrastructure.
segmentation methods are operational and confirm they are operational and effective, and focus on the segmentation controls, both is tracked by the team through closure.
effective, and isolate all out-of-scope systems isolate all out-of-scope systems from systems from outside the entity’s network and from
from systems in the CDE. in the CDE. inside the network but outside of the CDE, to
confirm that they are not able to get through
the segmentation controls to access the CDE.
11.3.4.b Examine the results from the most For example, network testing and/or
recent penetration test to verify that: scanning for open ports, to verify no
- Penetration testing to verify segmentation connectivity between in-scope and out-of-
controls is performed at least annually and scope networks.
after any changes to segmentation
controls/methods.
- The penetration testing covers all
segmentation controls/methods in use.
- The penetration testing verifies that
segmentation controls/methods are
operational and effective, and isolate all out-
of-scope systems from systems in the CDE.
11.3.4.c Verify that the test was performed by Customers are responsible for arranging Customers are responsible for arranging
a qualified internal resource or qualified penetration testing by qualified resources, penetration testing by qualified resources,
external third party and, if applicable, either external, or internal with either external, or internal with
organizational independence of the tester organizational independence. organizational independence.
11.3.4.1 Additional requirement for service 11.3.4.1.a Examine the results from the most Note: This requirement applies only when Microsoft Azure contracts with a qualified Customers who are service providers Customers who are service providers
providers only: If segmentation is used, confirm recent penetration test to verify that: the entity being assessed is a service external third party security organization to should perform penetration testing to should perform penetration testing to
PCI DSS scope by performing penetration testing - Penetration testing is performed to verify provider. perform penetration testing at least semi- validate segmentation, at least semi- validate segmentation, at least semi-
on segmentation controls at least every six segmentation controls at least every six annually to validate segmentation controls annually. annually.
months and after any changes to segmentation months and after any changes to segmentation For service providers, validation of PCI DSS are operational and effective.
controls/methods. controls/methods. scope should be performed as frequently as
- The penetration testing covers all possible to ensure PCI DSS scope remains up
segmentation controls/methods in use. to date and aligned with changing business
- The penetration testing verifies that objectives.
segmentation controls/methods are
operational and effective, and isolate all out-
of-scope systems from systems in the CDE.
11.3.4.1.b Verify that the test was performed Semi-annual segmentation validation Semi-annual segmentation validation
by a qualified internal resource or qualified penetration testing should be performed penetration testing should be performed
external third party and, if applicable, by a qualified resource, ether external or by a qualified resource, ether external or
organizational independence of the tester internal with organizational independence. internal with organizational independence.
11.4 Use intrusion-detection and/or intrusion- 11.4.a Examine system configurations and Intrusion detection and/or intrusion Microsoft Azure conducts real-time analysis Not applicable Customers are responsible for employing
prevention techniques to detect and/or prevent network diagrams to verify that techniques prevention techniques (such as IDS/IPS) of events within its operational IDS and firewall technology to detect and
intrusions into the network. Monitor all traffic at (such as intrusion-detection systems and/or compare the traffic coming into the network environment and IDS systems generate prevent malicious intrusions into their CDE.
the perimeter of the cardholder data environment intrusion-prevention systems) are in place to with known “signatures” and/or behaviors of near real-time alerts about events that This may be accomplished through the use
as well as at critical points in the cardholder data monitor all traffic: thousands of compromise types (hacker could potentially compromise the system. of Azure IDS services or those of a third
environment, and alert personnel to suspected - At the perimeter of the cardholder data tools, Trojans, and other malware), and send party cloud service provider. These
compromises. environment alerts and/or stop the attempt as it happens. controls must be in place and configured to
Keep all intrusion-detection and prevention - At critical points in the cardholder data Without a proactive approach to be validated.
engines, baselines, and signatures up to date. environment. unauthorized activity detection, attacks on
(or misuse of) computer resources could go
unnoticed in real time. Security alerts
generated by these techniques should be
11.4.b Examine system configurations and monitored so that the attempted intrusions
interview responsible personnel to confirm can be stopped.
intrusion-detection and/or intrusion-
prevention techniques alert personnel of
suspected compromises.
11.4.c Examine IDS/IPS configurations and

vendor documentation to verify intrusion-
detection and/or intrusion-prevention
techniques are configured, maintained, and
updated per vendor instructions to ensure
optimal protection.
11.5 Deploy a change-detection mechanism (for 11.5.a Verify the use of a change-detection Change-detection solutions such as file- Microsoft Azure maintains and notifies Customers are responsible for change- Customers are responsible for employing a
example, file-integrity monitoring tools) to alert mechanism within the cardholder data integrity monitoring (FIM) tools check for customers of potential changes and events detection at the application layer, or any change-detection mechanism to alert
personnel to unauthorized modification (including environment by observing system settings and changes, additions, and deletions to critical that may impact security or availability of other customer owned critical files that arepersonnel to unauthorized modification of
changes, additions, and deletions) of critical monitored files, as well as reviewing results files, and notify when such changes are the services through an online Service determined to be in-scope. critical system files, configuration files, or
system files, configuration files, or content files; from monitoring activities. detected. If not implemented properly and Dashboard. Changes to the security content files on IaaS instances in the CDE
and configure the software to perform critical file Examples of files that should be monitored: the output of the change-detection solution commitments and security obligations of Azure is reponsible for change-detection on and configure the software to perform
comparisons at least weekly. - System executables monitored, a malicious individual could add, Microsoft Azure customers are updated on PaaS VMs and system settings that critical file comparisons at least weekly.
- Application executables remove, or alter configuration file contents, the Microsoft Azure website in a timely customers are not able to alter.
Note: For change-detection purposes, critical files - Configuration and parameter files operating system programs, or application manner.
are usually those that do not regularly change, but - Centrally stored, historical or archived, log executables. Unauthorized changes, if
the modification of which could indicate a system and audit files undetected, could render existing security Installation or changes to software on
compromise or risk of compromise. Change- - Additional critical files determined by entity controls ineffective and/or result in Microsoft Azure production environment is
detection mechanisms such as file-integrity (for example, through risk assessment or other cardholder data being stolen with no restricted to authorized administration
monitoring products usually come pre-configured means). perceptible impact to normal processing. personnel and follows change management
with critical files for the related operating system. procedures.
Other critical files, such as those for custom
applications, must be evaluated and defined by
the entity (that is, the merchant or service
provider). 11.5.b Verify the mechanism is configured to
alert personnel to unauthorized modification
(including changes, additions, and deletions) of
critical files, and to perform critical file
comparisons at least weekly.
11.5.1 Implement a process to respond to any 11.5.1 Interview personnel to verify that all Azure monitoring event rules provide an Not applicable Customers are responsible for employing a
alerts generated by the change-detection solution. alerts are investigated and resolved. increased level of monitoring for high risk change-detection mechanism to alert
operations and assets. Azure-managed personnel to unauthorized modification of
network devices are monitored for critical system files, configuration files, or
compliance with established security content files on IaaS instances in the CDE
standards. and configure the software to perform
critical file comparisons at least weekly.
11.6 Ensure that security policies and operational 11.6 Examine documentation interview Personnel need to be aware of and following Not applicable Customers are responsible for creating and Customers are responsible for creating and
procedures for security monitoring and testing are personnel to verify that security policies and security policies and operational procedures maintaining policies surrounds operational maintaining policies surrounds operational
documented, in use, and known to all affected operational procedures for security monitoring for security monitoring and testing on a security. security.
parties. and testing are: continuous basis.
- Documented,
- In use, and
Requirement 12: Maintain a policy that addresses information security for all personnel.
A strong security policy sets the security tone for the whole entity and informs personnel what is expected of them. All personnel should be aware of the sensitivity of data and their responsibilities for protecting it. For the purposes of Requirement 12, “personnel” refers to full-time and part-time employees, temporary employees, contractors and
consultants who are “resident” on the entity’s site or otherwise have access to the cardholder data environment.

12.1 Establish, publish, maintain, and disseminate 12.1 Examine the information security policy A company's information security policy Not applicable Customers are responsible for establishing Customers are responsible for establishing
a security policy. and verify that the policy is published and creates the roadmap for implementing and maintaining an information security and maintaining an information security
disseminated to all relevant personnel security measures to protect its most policy. policy.
(including vendors and business partners). valuable assets. All personnel should be
aware of the sensitivity of data and their
responsibilities for protecting it.
12.1.1 Review the security policy at least annually 12.1.1 Verify that the information security Security threats and protection methods Not applicable Customers are responsible for updating Customers are responsible for updating
and update the policy when the environment policy is reviewed at least annually and evolve rapidly. Without updating the security their information security policy at least their information security policy at least
changes. updated as needed to reflect changes to policy to reflect relevant changes, new annually, or when the are changes to their annually, or when the are changes to their
business objectives or the risk environment. protection measures to fight against these CDE. CDE.
threats are not addressed.
12.2 Implement a risk-assessment process that: 12.2.a Verify that an annual risk-assessment
A risk assessment enables an organization to Not applicable Customers are responsible for Customers are responsible for
- Is performed at least annually and upon process is documented that: identify threats and associated vulnerabilities implementing a risk assessment process implementing a risk assessment process
significant changes to the environment (for - Identifies critical assets, threats, and
with the potential to negatively impact their that addresses all threats listed in 12.2 that addresses all threats listed in 12.2
example, acquisition, merger, relocation, etc.), vulnerabilities business. Resources can then be effectively
- Identifies critical assets, threats, and - Results in a formal, documented analysis of
allocated to implement controls that reduce
vulnerabilities, and risk the likelihood and/or the potential impact of
- Results in a formal, documented analysis of risk. the threat being realized.
Performing risk assessments at least annually
Examples of risk-assessment methodologies 12.2.b Review risk-assessment documentation and upon significant changes allows the
include but are not limited to OCTAVE, ISO 27005 to verify that the risk-assessment process is organization to keep up to date with
and NIST SP 800-30. performed at least annually and upon organizational changes and evolving threats,
significant changes to the environment. trends, and technologies.
12.3 Develop usage policies for critical 12.3 Examine the usage policies for critical Personnel usage policies can either prohibit Not applicable Customers are responsible for creating and Customers are responsible for creating and
technologies and define proper use of these technologies and interview responsible use of certain devices and other technologies maintaining policies dictating proper usage, maintaining policies dictating proper usage,
technologies. personnel to verify the following policies are if that is company policy, or provide guidance implementation, and authentication for implementation, and authentication for
implemented and followed: for personnel as to correct usage and critical technologies within their CDE. critical technologies within their CDE.
Note: Examples of critical technologies include, but implementation. If usage policies are not in
are not limited to, remote access and wireless place, personnel may use the technologies in
technologies, laptops, tablets, removable violation of company policy, thereby allowing
electronic media, e-mail usage and Internet usage. malicious individuals to gain access to critical
systems and cardholder data.
Ensure these usage policies require the following:
12.3.1 Explicit approval by authorized parties 12.3.1 Verify that the usage policies include Without requiring proper approval for Not applicable Customers are responsible for creating and Customers are responsible for creating and
processes for explicit approval from authorized implementation of these technologies, maintaining policies dictating proper usage, maintaining policies dictating proper usage,
parties to use the technologies. individual personnel may innocently implementation, and authentication for implementation, and authentication for
implement a solution to a perceived business critical technologies within their CDE. critical technologies within their CDE.
need, but also open a huge hole that subjects
critical systems and data to malicious
individuals.
12.3.2 Authentication for use of the technology 12.3.2 Verify that the usage policies include If technology is implemented without proper Not applicable Customers are responsible for creating and Customers are responsible for creating and
processes for all technology use to be authentication (user IDs and passwords, maintaining policies dictating proper usage, maintaining policies dictating proper usage,
authenticated with user ID and password or tokens, VPNs, etc.), malicious individuals may implementation, and authentication for implementation, and authentication for
other authentication item (for example, token). easily use this unprotected technology to critical technologies within their CDE. critical technologies within their CDE.
access critical systems and cardholder data.
12.3.3 A list of all such devices and personnel with 12.3.3 Verify that the usage policies define a Malicious individuals may breach physical Not applicable Customers are responsible for creating and Customers are responsible for creating and
access list of all devices and personnel authorized to security and place their own devices on the maintaining policies dictating proper usage, maintaining policies dictating proper usage,
use the devices. network as a “back door.” Personnel may implementation, and authentication for implementation, and authentication for
also bypass procedures and install devices. critical technologies within their CDE. critical technologies within their CDE.
An accurate inventory with proper device
labeling allows for quick identification of
non-approved installations.
12.3.4 A method to accurately and readily 12.3.4 Verify that the usage policies define a Malicious individuals may breach physical Not applicable Customers are responsible for creating and Customers are responsible for creating and
determine owner, contact information, and method to accurately and readily determine security and place their own devices on the maintaining policies dictating proper usage, maintaining policies dictating proper usage,
purpose (for example, labeling, coding, and/or owner, contact information, and purpose (for network as a “back door.” Personnel may implementation, and authentication for implementation, and authentication for
inventorying of devices) example, labeling, coding, and/or inventorying also bypass procedures and install devices. critical technologies within their CDE. critical technologies within their CDE.
of devices). An accurate inventory with proper device
labeling allows for quick identification of
non-approved installations. Consider
establishing an official naming convention for
devices, and log all devices with established
inventory controls. Logical labeling may be
employed with information such as codes
that can correlate the device to its owner,
contact information, and purpose.
12.3.5 Acceptable uses of the technology 12.3.5 Verify that the usage policies define By defining acceptable business use and Not applicable Customers are responsible for creating and Customers are responsible for creating and
acceptable uses for the technology. location of company-approved devices and maintaining policies dictating proper usage, maintaining policies dictating proper usage,
technology, the company is better able to implementation, and authentication for implementation, and authentication for
manage and control gaps in configurations critical technologies within their CDE. critical technologies within their CDE.
and operational controls, to ensure a “back
12.3.6 Acceptable network locations for the 12.3.6 Verify that the usage policies define door” is not opened for a malicious individual Not applicable Customers are responsible for determining Customers are responsible for determining
technologies acceptable network locations for the to gain access to critical systems and acceptable network locations for cloud acceptable network locations for cloud
technology. cardholder data. based VMs, storage and supporting based VMs, storage and supporting
services. services.
By defining acceptable business use and
location of company-approved devices and
technology, the company is better able to
manage and control gaps in configurations
and operational controls, to ensure a “back
door” is not opened for a malicious individual
to gain access to critical systems and
cardholder data.
12.3.7 List of company-approved products 12.3.7 Verify that the usage policies include a Not applicable Customers are responsible for determining Customers are responsible for determining
list of company-approved products. acceptable network locations for cloud acceptable network locations for cloud
based VMs, storage and supporting based VMs, storage and supporting
services. services.
12.3.8 Automatic disconnect of sessions for 12.3.8.a Verify that the usage policies require Remote-access technologies are frequent Microsoft Azure uses Microsoft corporate Customers are responsible for creating and Customers are responsible for creating and
remote-access technologies after a specific period automatic disconnect of sessions for remote- "back doors" to critical resources and AD session lock functionality, which maintaining policies dictating proper usage, maintaining policies dictating proper usage,
of inactivity access technologies after a specific period of cardholder data. By disconnecting remote- enforces session lock outs after a period of implementation, and authentication for implementation, and authentication for
inactivity. access technologies when not in use (for inactivity. Network connections are critical technologies within their CDE. critical technologies within their CDE.
example, those used to support your systems terminated after 30 minutes of inactivity.
12.3.8.b Examine configurations for remote by your POS vendor, other vendors, or
access technologies to verify that remote business partners), access and risk to
access sessions will be automatically networks is minimized.
disconnected after a specific period of
inactivity.
12.3.9 Activation of remote-access technologies 12.3.9 Verify that the usage policies require Not applicable Customers are responsible for creating and Customers are responsible for creating and
for vendors and business partners only when activation of remote-access technologies used maintaining policies dictating proper usage, maintaining policies dictating proper usage,
needed by vendors and business partners, with by vendors and business partners only when implementation, and authentication for implementation, and authentication for
immediate deactivation after use needed by vendors and business partners, with critical technologies within their CDE. critical technologies within their CDE.
immediate deactivation after use.
12.3.10 For personnel accessing cardholder data 12.3.10.a Verify that the usage policies prohibit To ensure all personnel are aware of their Not applicable Customers are responsible for ensuring Customers are responsible for ensuring
via remote-access technologies, prohibit the copying, moving, or storing of cardholder data responsibilities to not store or copy personnel accessing cardholder data via personnel accessing cardholder data via
copying, moving, and storage of cardholder data onto local hard drives and removable cardholder data onto their local personal remote-access technologies, prohibit the remote-access technologies, prohibit the
onto local hard drives and removable electronic electronic media when accessing such data via computers or other media, your policy copying, moving, and storage of cardholder copying, moving, and storage of cardholder
media, unless explicitly authorized for a defined remote-access technologies. should clearly prohibit such activities except data onto local hard drives and removable data onto local hard drives and removable
business need. for personnel that have been explicitly electronic media, unless explicitly electronic media, unless explicitly
Where there is an authorized business need, the authorized to do so. Storing or copying authorized for a defined business need. authorized for a defined business need.
usage policies must require the data be protected 12.3.10.b For personnel with proper cardholder data onto a local hard drive or
in accordance with all applicable PCI DSS authorization, verify that usage policies require other media must be in accordance with all
Requirements. the protection of cardholder data in applicable PCI DSS requirements.
accordance with PCI DSS Requirements.
12.4 Ensure that the security policy and 12.4.a Verify that information security policies Without clearly defined security roles and Not applicable Customers are responsible for creating and Customers are responsible for creating and
procedures clearly define information security clearly define information security responsibilities assigned, there could be maintaining policies dictating proper usage, maintaining policies dictating proper usage,
responsibilities for all personnel. responsibilities for all personnel. inconsistent interaction with the security implementation, and authentication for implementation, and authentication for
group, leading to unsecured implementation critical technologies within their CDE. critical technologies within their CDE.
12.4.b Interview a sample of responsible of technologies or use of outdated or
personnel to verify they understand the unsecured technologies.
security policies.
12.4.1 Additional requirement for service 12.4.1.a Examine documentation to verify Note: This requirement applies only when Not applicable Customers which are Service Providers are Customers which are Service Providers are
providers only: Executive management shall executive management has assigned overall the entity being assessed is a service responsible for documenting their PCI responsible for documenting their PCI
establish responsibility for the protection of accountability for maintaining the entity’s PCI
provider. compliance program. compliance program.
cardholder data and a PCI DSS compliance DSS compliance. Executive management assignment of PCI
program to include: DSS compliance responsibilities ensures
executive-level visibility into the PCI DSS
- Overall accountability for maintaining PCI DSS 12.4.1.b Examine the company’s PCI DSS compliance program and allows for the
compliance charter to verify it outlines the conditions opportunity to ask appropriate questions to
under which the PCI DSS compliance program determine the effectiveness of the program
- Defining a charter for a PCI DSS compliance is organized and communicated to executive and influence strategic priorities. Overall
program and communication to executive management. responsibility for the PCI DSS compliance
management program may be assigned to individual roles
and/or to business units within the
organization.
Executive management may include C-level
positions, board of directors, or equivalent.
The specific titles will depend on the
particular organizational structure. The level
of detail provided to executive management
should be appropriate for the particular
rganization and the intended audience.
12.5 Assign to an individual or team the following 12.5 Examine information security policies and Each person or team with responsibilities for Not applicable Customers are responsible for defining and Customers are responsible for defining and
information security management responsibilities: procedures to verify: information security management should be assigning information security assigning information security
- The formal assignment of information clearly aware of their responsibilities and responsibilities to their employees. responsibilities to their employees.
security to a Chief Security Officer or other related tasks, through specific policy.
security-knowledgeable member of Without this accountability, gaps in
management. processes may open access into critical
- The following information security resources or cardholder data.
responsibilities are specifically and formally
assigned: Entities should also consider transition
and/or succession plans for key personnel to
avoid potential gaps in security assignments,
which could result in responsibilities not
12.5.1 Establish, document, and distribute security 12.5.1 Verify that responsibility for being assigned and therefore not performed.
policies and procedures. establishing, documenting and distributing
security policies and procedures is formally
assigned.
12.5.2 Monitor and analyze security alerts and 12.5.2 Verify that responsibility for monitoring
information, and distribute to appropriate and analyzing security alerts and distributing
personnel. information to appropriate information
security and business unit management
personnel is formally assigned.
12.5.3 Establish, document, and distribute security 12.5.3 Verify that responsibility for Not applicable Customers are responsible for creating and Customers are responsible for creating and
incident response and escalation procedures to establishing, documenting, and distributing maintaining policies dictating proper usage, maintaining policies dictating proper usage,
ensure timely and effective handling of all security incident response and escalation implementation, and authentication for implementation, and authentication for
situations. procedures is formally assigned. critical technologies within their CDE. critical technologies within their CDE.
Not applicable Customers are responsible for creating and Customers are responsible for creating and
maintaining policies dictating proper usage, maintaining policies dictating proper usage,
implementation, and authentication for implementation, and authentication for
critical technologies within their CDE. critical technologies within their CDE.
12.5.4 Administer user accounts, including 12.5.4 Verify that responsibility for
additions, deletions, and modifications. administering (adding, deleting, and modifying)
user account and authentication management
is formally assigned.
12.5.5 Monitor and control all access to data. 12.5.5 Verify that responsibility for monitoring
and controlling all access to data is formally
assigned.
12.6 Implement a formal security awareness 12.6.a Review the security awareness program If personnel are not educated about their Not applicable Customers are responsible for creating and Customers are responsible for creating and
program to make all personnel aware of the to verify it provides awareness to all personnel security responsibilities, security safeguards maintaining policies surrounding security maintaining policies surrounding security
importance of cardholder data security policy and about the importance of cardholder data and processes that have been implemented awareness for staff with access to the CDE. awareness for staff with access to the CDE.
procedures. security. may become ineffective through errors or
intentional actions.
12.6.b Examine security awareness program
procedures and documentation and perform
the following:
12.6.1 Educate personnel upon hire and at least 12.6.1.a Verify that the security awareness If the security awareness program does not Not applicable Customers are responsible for ensuring Customers are responsible for ensuring
annually. program provides multiple methods of include periodic refresher sessions, key staff receive and acknowledge information staff receive and acknowledge information
communicating awareness and educating security processes and procedures may be security and PCI-DSS awareness training at security and PCI-DSS awareness training at
Note: Methods can vary depending on the role of personnel (for example, posters, letters, forgotten or bypassed, resulting in exposed least annually. least annually.
the personnel and their level of access to the memos, web-based training, meetings, and critical resources and cardholder data.
cardholder data. promotions).
12.6.1.b Verify that personnel attend security

awareness training upon hire and at least
annually.
12.6.1.c Interview a sample of personnel to
verify they have completed awareness training
and are aware of the importance of cardholder
data security.
12.6.2 Require personnel to acknowledge at least 12.6.2 Verify that the security awareness Requiring an acknowledgement by personnel Not applicable Customers are responsible for ensuring Customers are responsible for ensuring
annually that they have read and understood the program requires personnel to acknowledge, in in writing or electronically helps ensure that staff receive and acknowledge information staff receive and acknowledge information
security policy and procedures. writing or electronically, at least annually, that they have read and understood the security security and PCI-DSS awareness training at security and PCI-DSS awareness training at
they have read and understand the policies/procedures, and that they have least annually. least annually.
information security policy. made and will continue to make a
commitment to comply with these policies.
12.7 Screen potential personnel prior to hire to 12.7 Inquire with Human Resource department Performing thorough background Not applicable Customers are responsible for ensuring Customers are responsible for ensuring
minimize the risk of attacks from internal sources. management and verify that background investigations prior to hiring potential staff with access to the CDE undergo staff with access to the CDE undergo
(Examples of background checks include previous checks are conducted (within the constraints personnel who are expected to be given thorough background checks. thorough background checks.
employment history, criminal record, credit of local laws) prior to hire on potential access to cardholder data reduces the risk of
history, and reference checks.) personnel who will have access to cardholder unauthorized use of PANs and other
data or the cardholder data environment. cardholder data by individuals with
Note: For those potential personnel to be hired for questionable or criminal backgrounds.
certain positions such as store cashiers who only
have access to one card number at a time when
facilitating a transaction, this requirement is a
12.8 Maintain andonly.
recommendation implement policies and 12.8 Through observation, review of policies If a merchant or service provider shares Not applicable Customers are responsible for monitoring Customers are responsible for monitoring
procedures to manage service providers with and procedures, and review of supporting cardholder data with a service provider, PCI compliance for service providers with PCI compliance for service providers with
whom cardholder data is shared, or that could documentation, verify that processes are certain requirements apply to ensure whom cardholder data is shared, or could whom cardholder data is shared, or could
affect the security of cardholder data, as follows: implemented to manage service providers with continued protection of this data will be affect the security of the CDE. Customers affect the security of the CDE. Customers
whom cardholder data is shared, or that could enforced by such service providers. must maintain a list of all service provides must maintain a list of all service provides
affect the security of cardholder data (for used within their CDE. used within their CDE.
example, backup tape storage facilities, Some examples of the different types of
managed service providers such as web- service providers include backup tape
hosting companies or security service storage facilities, managed service providers
providers, those that receive data for fraud such as web-hosting companies or security
modeling purposes, etc.), as follows: service providers, entities that receive data
for fraud-modeling purposes, etc.
12.8.1 Maintain a list of service providers including 12.8.1 Verify that a list of service providers is Keeping track of all service providers
a description of the service provided. maintained and includes a description of the identifies where potential risk extends to
service provided. outside of the organization.
12.8.2 Maintain a written agreement that includes 12.8.2 Observe written agreements and The acknowledgement of the service Not applicable Customers are responsible for maintaining Customers are responsible for maintaining
an acknowledgement that the service providers confirm they include an acknowledgement by providers evidences their commitment to written agreements with service providers written agreements with service providers
are responsible for the security of cardholder data service providers that they are responsible for maintaining proper security of cardholder acknowledging the responsibility for acknowledging the responsibility for
the service providers possess or otherwise store, the security of cardholder data the service data that it obtains from its clients. The maintaining security of cardholder data. maintaining security of cardholder data.
process or transmit on behalf of the customer, or providers possess or otherwise store, process extent to which the service provider is
to the extent that they could impact the security or transmit on behalf of the customer, or to responsible for the security of cardholder
of the customer’s cardholder data environment. the extent that they could impact the security data will depend on the particular service
of the customer’s cardholder data and the agreement between the provider
Note: The exact wording of an acknowledgement environment. and assessed entity.
will depend on the agreement between the two In conjunction with Requirement 12.9, this
parties, the details of the service being provided, requirement is intended to promote a
and the responsibilities assigned to each party. consistent level of understanding between
The acknowledgement does not have to include parties about their applicable PCI DSS
the exact wording provided in this requirement. responsibilities. For example, the agreement
may include the applicable PCI DSS
requirements to be maintained as part of the
provided service.
12.8.3 Ensure there is an established process for 12.8.3 Verify that policies and procedures are The process ensures that any engagement of Not applicable Customers are responsible for ensuring Customers are responsible for ensuring
engaging service providers including proper due documented and implemented including a service provider is thoroughly vetted there is an established process for engaging there is an established process for engaging
diligence prior to engagement. proper due diligence prior to engaging any internally by an organization, which should service providers including proper due service providers including proper due
service provider. include a risk analysis prior to establishing a diligence prior to engagement. diligence prior to engagement.
formal relationship with the service provider.
Specific due-diligence processes and goals
will vary for each organization. Examples of
considerations may include the provider’s
reporting practices, breach-notification and
incident response procedures, details of how
PCI DSS responsibilities are assigned between
each party, how the provider validates their
PCI DSS compliance and what evidence they
will provide, etc.
12.8.4 Maintain a program to monitor service 12.8.4 Verify that the entity maintains a Knowing your service providers’ PCI DSS Not applicable Customers is responsible for maintaining a Customers is responsible for maintaining a
providers’ PCI DSS compliance status at least program to monitor its service providers’ PCI
compliance status provides assurance and program to monitor service providers’ PCI program to monitor service providers’ PCI
annually. DSS compliance status at least annually. awareness about whether they comply with DSS compliance status at least annually. DSS compliance status at least annually.
the same requirements that your
12.8.5 Maintain information about which PCI DSS 12.8.5 Verify the entity maintains information organization is subject to. If the service Not applicable Customers are responsible for retaining a Customers are responsible for retaining a
requirements are managed by each service about which PCI DSS requirements are provider offers a variety of services, this copy of this Responsibility Summary Matrix, copy of this Responsibility Summary Matrix,
provider, and which are managed by the entity. managed by each service provider, and which requirement should apply to those services which outlines the PCI DSS requirements which outlines the PCI DSS requirements
are managed by the entity. delivered to the client, and those services in that are the responsibility of the customer that are the responsibility of the customer
scope for the client’s PCI DSS assessment. and which requirements are the and which requirements are the
The specific information an entity maintains responsibility of Microsoft Azure responsibility of Microsoft Azure
will depend on the particular agreement with
their providers, the type of service, etc. The
intent is for the assessed entity to
understand which PCI DSS requirements
their providers have agreed to meet.
12.9 Additional requirement for service providers 12.9 Additional testing procedure for service Note: This requirement applies only when Not applicable Customers which are Service Providers are Customers which are Service Providers are
only: Service providers acknowledge in writing to provider assessments only: Review service the entity being assessed is a service responsible for acknowledging their responsible for acknowledging their
customers that they are responsible for the provider’s policies and procedures and observe provider. responsibiilities for maintaining PCI responsibiilities for maintaining PCI
security of cardholder data the service provider templates used for written agreements to In conjunction with Requirement 12.8.2, this compliance. compliance.
possesses or otherwise stores, processes, or confirm the service provider acknowledges in requirement is intended to promote a
transmits on behalf of the customer, or to the writing to customers that the service provider consistent level of understanding between
extent that they could impact the security of the will maintain all applicable PCI DSS service providers and their customers about
customer’s cardholder data environment. requirements to the extent the service their applicable PCI DSS responsibilities. The
provider possesses or otherwise stores, acknowledgement of the service providers
Note: The exact wording of an acknowledgement processes, or transmits cardholder data on evidences their commitment to maintaining
will depend on the agreement between the two behalf of the customer, or to the extent that proper security of cardholder data that it
parties, the details of the service being provided, they could impact the security of the obtains from its clients.
and the responsibilities assigned to each party. customer’s cardholder data environment. The service provider’s internal policies and
The acknowledgement does not have to include procedures related to their customer
the exact wording provided in this requirement. engagement process and any templates used
for written agreements should include
provision of an applicable PCI DSS
acknowledgement to their customers. The
method by which the service provider
provides written acknowledgment should be
agreed between the provider and their
customers.
12.10 Implement an incident response plan. Be 12.10 Examine the incident response plan and Without a thorough security incident Not applicable Customers are responsible for developing Customers are responsible for developing
prepared to respond immediately to a system related procedures to verify entity is prepared response plan that is properly disseminated, IR plans and testing that considers any IR plans and testing that considers any
breach. to respond immediately to a system breach by read, and understood by the parties customer controls relating to shared touch customer controls relating to shared touch
performing the following: responsible, confusion and lack of a unified points and any customer applications points and any customer applications
response could create further downtime for leveraging Azure’s infrastructure. It is the leveraging Azure’s infrastructure. It is the
the business, unnecessary public media customer’s responsibility to provide customer’s responsibility to provide
exposure, as well as new legal liabilities. accurate contact information to Azure in accurate contact information to Azure in
the event an incident needs to be reported the event an incident needs to be reported
to them which may impact their application to them which may impact their application
12.10.1 Create the incident response plan to be 12.10.1.a Verify that the incident response The incident response plan should be or data. or data.
implemented in the event of system breach. plan includes: thorough and contain all the key elements to
Ensure the plan addresses the following, at a - Roles, responsibilities, and communication allow your company to respond effectively in
minimum: strategies in the event of a compromise the event of a breach that could impact
- Roles, responsibilities, and communication and including notification of the payment brands, cardholder data.
contact strategies in the event of a compromise at a minimum
including notification of the payment brands, at a - Specific incident response procedures
minimum - Business recovery and continuity procedures
- Specific incident response procedures - Data backup processes
- Business recovery and continuity procedures - Analysis of legal requirements for reporting
- Data backup processes compromises (for example, California Bill 1386,
- Analysis of legal requirements for reporting which requires notification of affected
compromises consumers in the event of an actual or
- Coverage and responses of all critical system suspected compromise for any business with
components California residents in their database)
- Reference or inclusion of incident response - Coverage and responses for all critical system
procedures from the payment brands. components
- Reference or inclusion of incident response
procedures from the payment brands.
- Coverage and responses of all critical system
components
- Reference or inclusion of incident response
procedures from the payment brands.
12.10.1.b Interview personnel and review

documentation from a sample of previously
reported incidents or alerts to verify that the
documented incident response plan and
procedures were followed.
12.10.2 Review and test the plan, including all 12.10.2 Interview personnel and review Without proper testing, key steps may be
elements listed in Requirement 12.10.1, at least documentation from testing to verify that the missed, which could result in increased
annually. plan is tested at least annually, and that testing exposure during an incident.
includes all elements listed in Requirement
12.10.1.
12.10.3 Designate specific personnel to be 12.10.3 Verify through observation, review of Without a trained and readily available
available on a 24/7 basis to respond to alerts. policies, and interviews of responsible incident response team, extended damage to
personnel that designated personnel are the network could occur, and critical data
available for 24/7 incident response and and systems may become “polluted” by
monitoring coverage for any evidence of inappropriate handling of the targeted
unauthorized activity, detection of systems. This can hinder the success of a
unauthorized wireless access points, critical IDS post-incident investigation.
alerts, and/or reports of unauthorized critical
system or content file changes.
12.10.4 Provide appropriate training to staff with 12.10.4 Verify through observation, review of
security breach response responsibilities. policies, and interviews of responsible
personnel that staff with responsibilities for
security breach response are periodically
trained.
12.10.5 Include alerts from security monitoring 12.10.5 Verify through observation and review These monitoring systems are designed to
systems, including but not limited to intrusion- of processes that monitoring and responding focus on potential risk to data, are critical in
detection, intrusion-prevention, firewalls, and file- to alerts from security monitoring systems, taking quick action to prevent a breach, and
integrity monitoring systems. including detection of unauthorized wireless must be included in the incident-response
access points, are covered in the incident processes.
response plan.
12.10.6 Develop a process to modify and evolve 12.10.6 Verify through observation, review of Incorporating “lessons learned” into the
the incident response plan according to lessons policies, and interviews of responsible incident response plan after an incident helps
learned and to incorporate industry personnel that there is a process to modify and keep the plan current and able to react to
developments. evolve the incident response plan according to emerging threats and security trends.
lessons learned and to incorporate industry
developments.
12.11 Additional requirement for service providers 12.11.a Examine policies and procedures to Note: This requirement applies only when Not applicable Customers which are service providers are Customers which are service providers are
only: Perform reviews at least quarterly to confirm verify that processes are defined for reviewing the entity being assessed is a service responsbile for documenting their reviews responsbile for documenting their reviews
personnel are following and confirming that personnel are following provider. of processes for confirming PCI compliance of processes for confirming PCI compliance
security policies and operational procedures. security policies and operational procedures, Regularly confirming that security policies control performance. control performance.
Reviews must cover the following processes: and that reviews cover: and procedures are being followed provides
- Daily log reviews - Daily log reviews assurance that the expected controls are
- Firewall rule-set reviews - Firewall rule-set reviews active and working as intended. The
- Applying configuration standards to new systems - Applying configuration standards to new objective of these reviews is not to re-
- Responding to security alerts systems perform other PCI DSS requirements, but to
- Change management processes - Responding to security alerts confirm whether procedures are being
- Change management processes followed as expected.
12.11.b Interview responsible personnel and

examine records of reviews to verify that
reviews are performed at least quarterly.
12.11.1 Additional requirement for service 12.11.1 Examine documentation from the Note: This requirement applies only when
providers only: Maintain documentation of quarterly reviews to verify they include: the entity being assessed is a service
quarterly review process to include: - Documenting results of the reviews provider.
- Documenting results of the reviews - Review and sign-off of results by personnel The intent of these independent checks is to
- Review and sign-off of results by personnel assigned responsibility for the PCI DSS confirm whether security activities are being
assigned responsibility for the PCI DSS compliance compliance program performed on an ongoing basis. These
program reviews can also be used to verify that
appropriate evidence is being maintained—
for example, audit logs, vulnerability scan
reports, firewall reviews, etc.—to assist the
entity’s preparation for its next PCI DSS
assessment.

Microsoft Azure 2020 PCI DSS Requirements Responsibility Matrix

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Microsoft Azure 2020 PCI DSS Requirements Responsibility Matrix

Uploaded by

Copyright:

Available Formats

2020 Microsoft Azure PCI DSS Requirem

In general, responsibilities can be understood as follows:

osoft Azure providing the datacenter networking compliance.

d for customer use at https://servicetrust.microsoft.com/

Control Ownership Implementation Details

1.1.4.c Observe network configurations to

Because they only run occasionally, start-up

Because they only run occasionally, start-up

Control Ownership Implementation Details

2.1.c Interview personnel and examine

- Unnecessary default accounts (including

2.1.1.c Examine vendor documentation and

2.1.1.d Examine vendor documentation and

2.1.1.e Examine vendor documentation and

2.2.d Verify that system configuration

In order for systems to be configured

Control Ownership Implementation Details

Identifying and deleting stored data that has

3.2.d For all other entities, if sensitive

To minimize risk, store only these data elements as

3.3.c Examine displays of PAN (for example, on

3.5.3.b Examine system configurations and key

3.5.3.c Wherever key-encrypting keys are used,

3.6.5.b Interview personnel to verify the

3.6.8.b Observe documentation or other

Control Ownership Implementation Details

4.1.g For TLS implementations, examine

Control Ownership Implementation Details

5.2.d Examine anti-virus configurations,

Control Ownership Implementation Details

Including a formal review and signoff by

Microsoft Azure has established change

6.4.5.b For a sample of system components,

Control Ownership Implementation Details

Note: Some access control systems are set by

Control Ownership Implementation Details

8.2.1.e Additional testing procedure for service

8.5.c Interview system administrators to verify

8.6.b Interview security personnel to verify

8.6.c Examine system configuration settings

Control Ownership Implementation Details

9.2.b Examine identification methods (such

9.2.c Verify that access to the identification

9.4.4.c Verify that the log is retained for at

Note: This does not mean the media needs to

Microsoft Azure follows NIST 800-88

9.9.1.c Interview personnel to verify the list

Control Ownership Implementation Details

10.4.1.b Observe the time-related system-

10.4.2 Time data is protected. 10.4.2.a Examine system configurations and

10.4.2.b Examine system configurations, time

10.6.2.b Examine the organization’s risk-

10.8.1.b Examine records to verify that security

Control Ownership Implementation Details

11.1.2.b Interview responsible personnel

11.2.3.c Validate that the scan was performed

11.3.2.b Verify that the test was performed by

Each quarter targeted comprehensive

11.4.c Examine IDS/IPS configurations and

Control Ownership Implementation Details

12.6.1.b Verify that personnel attend security

12.10.1.b Interview personnel and review