microsoft corporation non-disclosure agreement for ... · microsoft product, microsoft's...

Microsoft Corporation Non-Disclosure Agreement for Compliance Materials

READ THIS! THIS IS A LEGAL AGREEMENT BETWEEN MICROSOFT CORPORATION ("MICROSOFT") AND THE RECIPIENT OF THESE MATERIALS, WHETHER AN INDIVIDUAL OR A CORPORATION OR OTHER ENTITY ("YOU"). BY CLICKING "I ACCEPT", DOWNLOADING OR USING THE MATERIALS, YOU AGREE TO THESE TERMS. IF THIS AGREEMENT IS ATTACHED TO MATERIALS, BY ACCESSING OR USING THE ATTACHED MATERIALS, YOU AGREE TO THESE TERMS.

1. For good and valuable consideration, the receipt and sufficiency of which are acknowledged, You and Microsoft agree as follows: (a) If You are an authorized representative of a corporation or other entity ("Company"), and such Company has executed a Microsoft Corporation Non-Disclosure Agreement that is not limited to a specific subject matter or event ("Microsoft NDA"), You represent that You have authority to act on behalf of Company and agree that the Confidential Information, as defined in the Microsoft NDA, is subject to the terms and conditions of the Microsoft NDA and that Company will treat the Confidential Information accordingly; (b) If You are an individual, and have executed a Microsoft NDA, You agree that the Confidential Information, as defined in the Microsoft NDA, is subject to the terms and conditions of the Microsoft NDA and that You will treat the Confidential Information accordingly; or (c) If a Microsoft NDA has not been executed, You (if You are an individual), or Company (if You are an authorized representative of Company), as applicable, agrees: (a) to refrain from disclosing or distributing the Confidential Information to any third party for five (5) years from the date of disclosure of the Confidential Information by Microsoft to Company/You; (b) to refrain from reproducing or summarizing the Confidential Information; and (c) to take reasonable security precautions, at least as great as the precautions it takes to protect its own confidential information, but no less than reasonable care, to keep confidential the Confidential Information. You/Company, however, may disclose Confidential Information in accordance with a judicial or other governmental order, provided You/Company either (i) gives Microsoft reasonable notice prior to such disclosure and to allow Microsoft a reasonable opportunity to seek a protective order or equivalent, or (ii) obtains written assurance from the applicable judicial or governmental entity that it will afford the Confidential Information the highest level of protection afforded under applicable law or regulation. Confidential Information shall not include any information, however designated, that: (i) is or subsequently becomes publicly available without Your/Company’s breach of any obligation owed to Microsoft; (ii) became known to You/Company prior to Microsoft’s disclosure of such information to You/Company pursuant to the terms of this Agreement; (iii) became known to You/Company from a source other than Microsoft other than by the breach of an obligation of confidentiality owed to Microsoft; or (iv) is independently developed by You/Company. For purposes of this paragraph, "Confidential Information" means nonpublic information that Microsoft designates as being confidential or which, under the circumstances surrounding disclosure ought to be treated as confidential by Recipient. "Confidential Information" includes, without limitation, information in tangible or intangible form relating to and/or including released or unreleased Microsoft software or hardware products, the marketing or promotion of any Microsoft product, Microsoft's business policies or practices, and information received from others that Microsoft is obligated to treat as confidential.

2. You may review these Materials only (a) as a reference to validate the platform and assist you in evaluating the referenced product(s) for purchase and use. All other rights are retained by Microsoft; this agreement does not give You rights under any Microsoft patents. You may not (i) duplicate any part of these Materials, (ii) remove this agreement or any notices from these Materials, or (iii) give any part of these Materials, or assign or otherwise provide Your rights under this agreement, to anyone else.

3. If You are an entity and (a) merge into another entity or (b) a controlling ownership interest in You changes, Your right to use these Materials automatically terminates and You must destroy them.

4. Monetary damages may not sufficiently compensate a breach of these terms. Microsoft may seek court orders to stop the disclosure of Confidential Information in breach of these terms without the obligation of posting a bond.

5. This agreement is governed by the laws of the State of Washington. Any dispute involving it must be brought in the federal or state superior courts located in King County, Washington, and You waive any defenses allowing the dispute to be litigated elsewhere. If there is litigation, the losing party must pay the other party’s reasonable attorneys’ fees, costs and other expenses. If any part of this agreement is unenforceable, it will be considered modified to the extent necessary to make it enforceable, and the remainder shall continue in effect. This agreement is the entire agreement between You and Microsoft concerning these Materials; it may be changed only by a written document signed by both You and Microsoft.

Payment Card Industry (PCI) Data Security Standard

Attestation of Compliance for Onsite Assessments – Service Providers Version 3.2

April 2016

PCI DSS v3.2 Attestation of Compliance for Onsite Assessments – Service Providers, Rev. 1.0 April 2016

© 2006-2016 PCI Security Standards Council, LLC. All Rights Reserved. Page 2

Section 1: Assessment Information

Instructions for Submission

This Attestation of Compliance must be completed as a declaration of the results of the service provider’s

assessment with the Payment Card Industry Data Security Standard Requirements and Security Assessment

Procedures (PCI DSS). Complete all sections: The service provider is responsible for ensuring that each

section is completed by the relevant parties, as applicable. Contact the requesting payment brand for reporting

and submission procedures.

Part 1. Service Provider and Qualified Security Assessor Information

Part 1a. Service Provider Organization Information

Company Name: Microsoft Azure DBA (doing

business as):

Not Applicable

Contact Name: Alice Rison Title: Principal Group PM

Manager

Telephone: 425-707-2570 E-mail: [email protected]

Business Address: One Microsoft Way City: Redmond

State/Province: WA Country: USA Zip: 98052

URL: https://www.azure.microsoft.com

Part 1b. Qualified Security Assessor Company Information (if applicable)

Company Name: Coalfire Systems, Inc.

Lead QSA Contact Name: Dan Stocker Title: Practice Director, QSA

Telephone: 303-554-6333 E-mail: [email protected]

Business Address: 11000 Westmoor Circle,

Suite 450

City: Westminster

State/Province: CO Country: USA Zip: 80021

URL: www.coalfire.com



Part 2. Executive Summary

Part 2a. Scope Verification

Services that were INCLUDED in the scope of the PCI DSS Assessment (check all that apply):

Name of service(s) assessed: Microsoft Azure

Type of service(s) assessed:

Hosting Provider:

Applications / software

Hardware

Infrastructure / Network

Physical space (co-location)

Storage

Web

Security services

3-D Secure Hosting Provider

Shared Hosting Provider

Other Hosting (specify):

Managed Services (specify):

Systems security services

IT support

Physical security

Terminal Management System

Other services (specify):

Payment Processing:

POS / card present

Internet / e-commerce

MOTO / Call Center

ATM

Other processing (specify):

Account Management Fraud and Chargeback Payment Gateway/Switch

Back-Office Services Issuer Processing Prepaid Services

Billing Management Loyalty Programs Records Management

Clearing and Settlement Merchant Services Tax/Government Payments

Network Provider

Others (specify):

Note: These categories are provided for assistance only, and are not intended to limit or predetermine

an entity’s service description. If you feel these categories don’t apply to your service, complete

“Others.” If you’re unsure whether a category could apply to your service, consult with the applicable

payment brand.



Part 2a. Scope Verification (continued)

Services that are provided by the service provider but were NOT INCLUDED in the scope of the PCI DSS Assessment (check all that apply):

Name of service(s) not assessed: Not Applicable

Type of service(s) not assessed: Not Applicable

Hosting Provider:

Applications / software

Hardware

Infrastructure / Network

Physical space (co-location)

Storage

Web

Security services

3-D Secure Hosting Provider

Shared Hosting Provider

Other Hosting (specify):

Managed Services (specify):

Systems security services

IT support

Physical security

Terminal Management System

Other services (specify):

Payment Processing:

POS / card present

Internet / e-commerce

MOTO / Call Center

ATM

Other processing (specify):

Account Management Fraud and Chargeback Payment Gateway/Switch

Back-Office Services Issuer Processing Prepaid Services

Billing Management Loyalty Programs Records Management

Clearing and Settlement Merchant Services Tax/Government Payments

Network Provider

Others (specify):

Provide a brief explanation why any checked services

were not included in the assessment: Not Applicable



Part 2b. Description of Payment Card Business

Describe how and in what

capacity your business

stores, processes, and/or

transmits cardholder data.

Microsoft Azure offers their customers IaaS and PaaS solutions, which

customers may use to store, process, or transmit CHD. Microsoft Azure

does not store, process, or transmit cardholder data (CHD) for its own

business.

The Microsoft Azure environment was assessed with the assumption all

customer data was CHD. Microsoft Azure customers are responsible for the

security of the CHD they store, process, or transmit.



Describe how and in what

capacity your business is

otherwise involved in or has

the ability to impact the

security of cardholder data.

Microsoft Azure customers built their CDEs using Microsoft Azure services.

The security and compliance of these services will directly affect the security

and compliance of the customer’s services. Services in scope for this

assessment include:

Customer Facing Services

Compute

1. Azure Container Service

2. Batch

3. Cloud Services

4. Functions

5. Service Fabric

6. Virtual Machines

7. Virtual Machine Scale Sets

Networking

8. Application Gateway

9. Azure DNS

10. ExpressRoute

11. Load Balancer

12. Traffic Manager

13. Virtual Network

14. VPN Gateway

Storage

15. Storage - Blob, Table, Queue, Files, and Disks

Premium Storage

Cool Storage

Managed Disks

16. StorSimple

17. Backup

18. Site Recovery

19. Import/Export

Web + Mobile

20. App Service

Web Apps

Mobile Apps

API Apps

21. Media Services

22. API Management

23. Logic Apps

24. Notification Hubs

Database



25. SQL Database (DB, SQL Server Stretch DB, SQL v12)

26. SQL Data Warehouse

27. SQL Virtual Machines

28. DocumentDB

29. Redis Cache – including Premium

Intelligence + Analytics

30. HDInsight

31. Machine Learning

32. Stream Analytics

33. Power BI Embedded

34. Data Catalog

35. Log Analytics

Internet of Things

36. IoT Hub

37. Event Hubs

Enterprise Integration

38. Service Bus

Security + Identity

39. Key Vault

40. Azure Active Directory (Common, Basic)

41. Azure Active Directory B2B

42. Azure Active Directory B2C

43. Multi-Factor Authentication

44. Azure Information Protection

Developer Tools

45. Application Insights

Monitoring + Management

46. Microsoft Azure Portal (New and Classic)

47. Azure Resource Manager

Storage Resource Provider

Compute Resource Provider

Network Resource Provider

48. Automation

49. Scheduler

Other Microsoft Products

50. Microsoft Cloud App Security

51. Microsoft Intune

52. Microsoft Power BI

53. Microsoft PowerApps



54. Microsoft Flow

55. Microsoft Graph

56. Workflow Manager

Part 2c. Locations

List types of facilities (for example, retail outlets, corporate offices, data centers, call centers, etc.) and a

summary of locations included in the PCI DSS review.

Type of facility: Number of facilities of this type Location(s) of facility (city, country):

Data Centers 103 North America

1. Alpharetta, GA (1)

2. Ashburn, VA (1)

3. Santa Clara, CA (4)

4. Bristow, VA (5)

5. Boydton, VA (9)

6. Cheyenne, WY (3)

7. Northlake, IL (3)

8. Colorado Springs, CO (1)

9. Quincy, WA (4)

10. Dallas, TX (1)

11. West Des Moines, IA (7)

12. Chicago, IL (1)

13. Phoenix, AZ (1)

14. Quebec City, Canada (1)

15. San Antonio, TX (4)

16. Ogden, UT (1)

17. Needham, MA (1)

18. Tukwila, WA (1)

19. Tulsa, OK (1)

Europe

1. Amsterdam, Netherlands (1)

2. Schiphol-Rijk, Netherlands (3)

3. Middenmeer, Netherlands (2)

4. Newport, United Kingdom (1)

5. Hertfordshire, United Kingdom (1)

6. Dublin, Ireland (7)

7. Cleveland, United Kingdom (1)

8. Frankfurt, Germany (1)

9. Vantaa, Finland (1)

10. Biere, Germany (1)

11. Chessington, United Kingdom (1)

12. Bettembourg, Luxembourg (1)

13. Skondal, Sweden (1)

14. Vienna Austria (1)

Asia



1. Beijing, China (2)

2. Gim-hae, Korea (2)

3. Ambattur, India (1)

4. Hong Kong (2)

5. Cyberjaya, Malaysia (1)

6. Mumbai, India (1)

7. Osaka, Japan (2)

8. Pune, India (1)

9. Shanghai, China (3)

10. Singapore (3)

11. Saitama, Japan (1)

12. Tokyo, Japan (1)

13. Inzai City, Japan (1)

South America

1. Campinas, Brazil (2)

2. Maracanau, Brazil (1)

3. Humacao, Puerto Rico (1)

4. Rio De Janeiro, Brazil (1)

5. Barueri, Brazil (1)

Australia

1. Melbourne, Australia (1)

2.

Part 2d. Payment Applications

Does the organization use one or more Payment Applications? Yes No

Provide the following information regarding the Payment Applications your organization uses:

Payment Application

Name

Version

Number

Application

Vendor

Is application

PA-DSS Listed?

PA-DSS Listing Expiry

date (if applicable)

Not Applicable Not Applicable Not Applicable Not Applicable Not Applicable

Part 2e. Description of Environment

Provide a high-level

description of the environment

covered by this assessment.

For example:

• Connections into and out of

the cardholder data

environment (CDE).

• Critical system components

within the CDE, such as

POS devices, databases,

web servers, etc., and any

other necessary payment

components, as applicable.

Azure Services are built and managed with the following types of personnel,

functions and technologies:

Technical staff:

Architects who design services, systems and networks

Network engineers who build, test and support operations

System engineers who build, test and support operations

Security engineers who design, implement and monitor key systems and

infrastructure via vulnerability management systems including log

monitoring and alerting

Software engineers, who build, test and support service code

Database administrators who support storage and data services



Service subject matter experts in areas such as databases, networking and

encryption

Management staff:

Program Management at both the service and overall Azure levels, with

oversight of service development and operations

Compliance specialists with oversight and management responsibilities,

including PCI

Product management of Microsoft Azure service offerings

Project Managers who coordinate between service teams and support

project management at the service and inter-service levels

Service architects supporting client implementations and build outs

Business staff:

Executives with oversight and guidance for PCI and business operations

Back office specialists who support, billing and accounting functions

HR staff who perform background checks, personnel skills development

operations, and security awareness training for existing staff

Technology Processes:

Secure Software Development Lifecycle

Development and maintenance of security and configuration standards

System and network device maintenance and patching

Maintaining approved configurations and correcting deviations

Auditing and monitoring of in-scope systems and network devices

Cryptographic Key Management supporting services reliant on unique

secrets and services implementing encryption

Database management and maintenance for internal and client-facing

services

Change Management for tracking and approving all changes

Log monitoring and alerting as part of Vulnerability Management,

supporting anti-malware, IDS, FIM, scanning and pen testing processes

Vulnerability Management via internal and external scanning and

penetration testing

Identity Management via Active Directory and RAMweb

Business Functions:

Information Risk Assessment and Risk Management

Compliance monitoring, tracking and reporting

Incident Response Management

Billing and client onboarding processes

HR supporting staff vetting, onboarding, development and secure

separation

Technologies:

Operating Systems: including Windows server and client versions, and

multiple Linux variants



Virtualization: custom hypervisors to manage resources and enhance

isolation of multi-tenant client environments and realize efficiencies

Databases: multiple vendors and versions, supporting service

implementations and as services themselves

Web portals for client and service management

RDP: enabling remote access for administrative work and client access

VPN: enabling remote access for administrative work and client access

Jump boxes: to increase logical isolation of CDE

Firewalls: filter traffic to/from the CDE and between the client and

management networks

Network devices: routers, switches architected in a tiered design to

enhance management and isolation of CDE traffic.

Anti-malware: both industry solutions and custom endpoint protection for

service and client virtual machines

Vulnerability scanning, both internal and external, both service-focused and

on client resources

Change management software to track and record approval of

infrastructure and software changes

Encryption: custom implementations, including HSM and Secret Store

service, which offers secure, encrypted storage for Microsoft Azure and

customer secrets and encryption keys

Wireless networks at corporate locations enable efficient work patterns

Does your business use network segmentation to affect the scope of your PCI DSS

environment?

(Refer to “Network Segmentation” section of PCI DSS for guidance on network

segmentation)

Yes No

Part 2f. Third-Party Service Providers

Does your company have a relationship with a Qualified Integrator & Reseller (QIR) for

the purpose of the services being validated?

If Yes:

Name of QIR Company: Not Applicable

QIR Individual Name: Not Applicable

Description of services provided by QIR: Not Applicable

Yes No

Does your company have a relationship with one or more third-party service providers (for

example, Qualified Integrator Resellers (QIR), gateways, payment processors, payment

service providers (PSP), web-hosting companies, airline booking agents, loyalty program

agents, etc.) for the purpose of the services being validated?

Yes No

If Yes:

Name of service provider: Description of services provided:

Not Applicable Not Applicable

Note: Requirement 12.8 applies to all entities in this list.



Part 2g. Summary of Requirements Tested

For each PCI DSS Requirement, select one of the following:

Full – The requirement and all sub-requirements of that requirement were assessed, and no sub-

requirements were marked as “Not Tested” or “Not Applicable” in the ROC.

Partial – One or more sub-requirements of that requirement were marked as “Not Tested” or “Not

Applicable” in the ROC.

None – All sub-requirements of that requirement were marked as “Not Tested” and/or “Not Applicable”

in the ROC.

For all requirements identified as either “Partial” or “None,” provide details in the “Justification for Approach”

column, including:

Details of specific sub-requirements that were marked as either “Not Tested” and/or “Not Applicable” in

the ROC

Reason why sub-requirement(s) were not tested or not applicable

Note: One table to be completed for each service covered by this AOC. Additional copies of this section are

available on the PCI SSC website.

Name of Service Assessed: Azure Container Service

PCI DSS

Requirement

Details of Requirements Assessed

Full Partial None

Justification for Approach

(Required for all “Partial” and “None” responses. Identify which

sub-requirements were not tested and the reason.)

Requirement 1: 1.3.6 – Not Applicable: No cardholder data

Requirement 2: 2.1.1 – Not Applicable: no wireless in scope

2.2.3 – Not Applicable: no insecure protocols

2.6 – Not Applicable: not a Shared Hosting Provider

Requirement 3: 3.1 – Not Applicable: no management of customer data

retention

3.2 – Not Applicable: no cardholder data processes

3.2.1 – Not Tested: contractual obligation not to audit

customer data


customer data


customer data



3.6 – Not Applicable: no shared keys with customers

3.6.6 – Not Applicable: no plaintext key generation


Requirement 5: 5.1.2 – Not Applicable: anti-malware deployed

everywhere

Requirement 6: Not Applicable




Requirement 8: 8.1.5 – Not Applicable: no independent vendor access to

CDE

8.7 – Not Applicable: no managed databases

Requirement 9: 9.8.1 – Not Applicable: no removable media in scope

9.9 – Not Applicable: no POI devices in scope

9.9.1 – Not Applicable: no POI devices in scope






Appendix A1: Appendix A1 is Not Applicable: Azure is not a Shared

Hosting Provider

Appendix A2: Appendix A2 is Not Applicable: Azure supports TLS 1.2

for all in-scope services.

Name of Service Assessed: Batch

PCI DSS

Requirement


Full Partial None









retention



customer data


customer data


customer data









everywhere




CDE











Hosting Provider



Name of Service Assessed: Cloud Services

PCI DSS

Requirement


Full Partial None









retention



customer data


customer data


customer data









everywhere




CDE











Hosting Provider



Name of Service Assessed: Functions

PCI DSS

Requirement


Full Partial None









retention



customer data


customer data




customer data







everywhere




CDE











Hosting Provider



Name of Service Assessed: Service Fabric

PCI DSS

Requirement


Full Partial None









retention





customer data


customer data


customer data







everywhere




CDE











Hosting Provider



Name of Service Assessed: Virtual Machines

PCI DSS

Requirement


Full Partial None











retention



customer data


customer data


customer data







everywhere




CDE











Hosting Provider



Name of Service Assessed: Virtual Machine Scale Sets

PCI DSS

Requirement


Full Partial None











retention



customer data


customer data


customer data







everywhere




CDE











Hosting Provider



Name of Service Assessed: Application Gateway



PCI DSS

Requirement


Full Partial None









retention



customer data


customer data


customer data







everywhere




CDE











Hosting Provider





Name of Service Assessed: Azure DNS

PCI DSS

Requirement


Full Partial None









retention



customer data


customer data


customer data







everywhere




CDE













Hosting Provider



Name of Service Assessed: ExpressRoute

PCI DSS

Requirement


Full Partial None









retention



customer data


customer data


customer data







everywhere




CDE













Hosting Provider



Name of Service Assessed: Load Balancer

PCI DSS

Requirement


Full Partial None









retention



customer data


customer data


customer data







everywhere




CDE













Hosting Provider



Name of Service Assessed: Traffic Manager

PCI DSS

Requirement


Full Partial None









retention



customer data


customer data


customer data







everywhere




CDE













Hosting Provider



Name of Service Assessed: Virtual Network

PCI DSS

Requirement


Full Partial None









retention



customer data


customer data


customer data







everywhere






CDE











Hosting Provider



Name of Service Assessed: VPN Gateway

PCI DSS

Requirement


Full Partial None









retention



customer data


customer data


customer data









everywhere




CDE











Hosting Provider



Name of Service Assessed: Storage - Blob, Table, Queue, Files, and Disks

Premium Storage

Cool Storage

Managed Disks

PCI DSS

Requirement


Full Partial None









retention



customer data


customer data




customer data







everywhere




CDE











Hosting Provider



Name of Service Assessed: StorSimple

PCI DSS

Requirement


Full Partial None









retention





customer data


customer data


customer data







everywhere




CDE











Hosting Provider



Name of Service Assessed: Backup

PCI DSS

Requirement


Full Partial None











retention



customer data


customer data


customer data







everywhere




CDE











Hosting Provider



Name of Service Assessed: Site Recovery

PCI DSS

Requirement


Full Partial None











retention



customer data


customer data


customer data







everywhere




CDE











Hosting Provider



Name of Service Assessed: Import/Export



PCI DSS

Requirement


Full Partial None









retention



customer data


customer data


customer data







everywhere




CDE











Hosting Provider





Name of Service Assessed: App Service

Web Apps

Mobile Apps

API Apps

PCI DSS

Requirement


Full Partial None









retention



customer data


customer data


customer data







everywhere




CDE













Hosting Provider



Name of Service Assessed: Media Services

PCI DSS

Requirement


Full Partial None









retention



customer data


customer data


customer data







everywhere




CDE













Hosting Provider



Name of Service Assessed: API Management

PCI DSS

Requirement


Full Partial None









retention



customer data


customer data


customer data







everywhere




CDE













Hosting Provider



Name of Service Assessed: Logic Apps

PCI DSS

Requirement


Full Partial None









retention



customer data


customer data


customer data







everywhere






CDE











Hosting Provider



Name of Service Assessed: Notification Hubs

PCI DSS

Requirement


Full Partial None









retention



customer data


customer data


customer data







everywhere






CDE











Hosting Provider



Name of Service Assessed: SQL Database (DB, SQL Server Stretch DB, SQL v12)

PCI DSS

Requirement


Full Partial None









retention



customer data


customer data


customer data









everywhere




CDE











Hosting Provider



Name of Service Assessed: SQL Data Warehouse

PCI DSS

Requirement


Full Partial None









retention



customer data


customer data


customer data









everywhere




CDE











Hosting Provider



Name of Service Assessed: SQL Virtual Machines

PCI DSS

Requirement


Full Partial None









retention



customer data




customer data


customer data







everywhere




CDE











Hosting Provider



Name of Service Assessed: DocumentDB

PCI DSS

Requirement


Full Partial None











retention



customer data


customer data


customer data







everywhere




CDE











Hosting Provider



Name of Service Assessed: Redis Cache – including Premium

PCI DSS

Requirement


Full Partial None











retention



customer data


customer data


customer data







everywhere




CDE











Hosting Provider



Name of Service Assessed: HDInsight

PCI DSS

Requirement


Full Partial None Justification for Approach










retention



customer data


customer data


customer data







everywhere




CDE











Hosting Provider





Name of Service Assessed: Machine Learning

PCI DSS

Requirement


Full Partial None









retention



customer data


customer data


customer data







everywhere




CDE











Hosting Provider





Name of Service Assessed: Stream Analytics

PCI DSS

Requirement


Full Partial None









retention



customer data


customer data


customer data







everywhere




CDE













Hosting Provider



Name of Service Assessed: Power BI Embedded

PCI DSS

Requirement


Full Partial None









retention



customer data


customer data


customer data







everywhere




CDE













Hosting Provider



Name of Service Assessed: Data Catalog

PCI DSS

Requirement


Full Partial None









retention



customer data


customer data


customer data







everywhere




CDE













Hosting Provider



Name of Service Assessed: Log Analytics

PCI DSS

Requirement


Full Partial None









retention



customer data


customer data


customer data







everywhere






CDE











Hosting Provider



Name of Service Assessed: IoT Hub

PCI DSS

Requirement


Full Partial None









retention



customer data


customer data


customer data







everywhere






CDE











Hosting Provider



Name of Service Assessed: Event Hubs

PCI DSS

Requirement


Full Partial None









retention



customer data


customer data


customer data









everywhere




CDE











Hosting Provider



Name of Service Assessed: Service Bus

PCI DSS

Requirement


Full Partial None









retention



customer data


customer data


customer data









everywhere




CDE











Hosting Provider



Name of Service Assessed: Key Vault

PCI DSS

Requirement


Full Partial None









retention



customer data




customer data


customer data







everywhere




CDE











Hosting Provider



Name of Service Assessed: Azure Active Directory (Common, Basic)

PCI DSS

Requirement


Full Partial None











retention



customer data


customer data


customer data







everywhere




CDE











Hosting Provider



Name of Service Assessed: Azure Active Directory B2B

PCI DSS

Requirement


Full Partial None











retention



customer data


customer data


customer data







everywhere




CDE











Hosting Provider



Name of Service Assessed: Azure Active Directory B2C

PCI DSS

Requirement


Full Partial None Justification for Approach










retention



customer data


customer data


customer data







everywhere




CDE











Hosting Provider







Name of Service Assessed: Multi-Factor Authentication

PCI DSS

Requirement


Full Partial None









retention



customer data


customer data


customer data







everywhere




CDE













Hosting Provider



Name of Service Assessed: Azure Information Protection

PCI DSS

Requirement


Full Partial None









retention



customer data


customer data


customer data







everywhere




CDE













Hosting Provider



Name of Service Assessed: Application Insights

PCI DSS

Requirement


Full Partial None









retention



customer data


customer data


customer data







everywhere




CDE













Hosting Provider



Name of Service Assessed: Microsoft Azure Portal (New and Classic)

PCI DSS

Requirement


Full Partial None









retention



customer data


customer data


customer data







everywhere




CDE













Hosting Provider



Name of Service Assessed: Azure Resource Manager

Storage Resource Provider

Compute Resource Provider

Network Resource Provider

PCI DSS

Requirement


Full Partial None









retention



customer data


customer data


customer data









everywhere




CDE











Hosting Provider



Name of Service Assessed: Automation

PCI DSS

Requirement


Full Partial None









retention



customer data


customer data


customer data









everywhere




CDE











Hosting Provider



Name of Service Assessed: Scheduler

PCI DSS

Requirement


Full Partial None









retention



customer data


customer data




customer data







everywhere




CDE











Hosting Provider



Name of Service Assessed: Microsoft Cloud App Security

PCI DSS

Requirement


Full Partial None









retention





customer data


customer data


customer data







everywhere




CDE











Hosting Provider



Name of Service Assessed: Microsoft Intune

PCI DSS

Requirement


Full Partial None











retention



customer data


customer data


customer data







everywhere




CDE











Hosting Provider



Name of Service Assessed: Microsoft Power BI

PCI DSS

Requirement


Full Partial None











retention



customer data


customer data


customer data







everywhere




CDE











Hosting Provider



Name of Service Assessed: Microsoft PowerApps



PCI DSS

Requirement


Full Partial None









retention



customer data


customer data


customer data







everywhere




CDE











Hosting Provider





Name of Service Assessed: Microsoft Flow

PCI DSS

Requirement


Full Partial None









retention



customer data


customer data


customer data







everywhere




CDE













Hosting Provider



Name of Service Assessed: Microsoft Graph

PCI DSS

Requirement


Full Partial None









retention



customer data


customer data


customer data







everywhere




CDE













Hosting Provider



Name of Service Assessed: Workflow Manager

PCI DSS

Requirement


Full Partial None









retention



customer data


customer data


customer data







everywhere




CDE













Hosting Provider





Section 2: Report on Compliance

This Attestation of Compliance reflects the results of an onsite assessment, which is documented in an

accompanying Report on Compliance (ROC).

The assessment documented in this attestation and in the ROC was completed

on:

3/4/2017

Have compensating controls been used to meet any requirement in the ROC? Yes No

Were any requirements in the ROC identified as being not applicable (N/A)? Yes No

Were any requirements not tested? Yes No

Were any requirements in the ROC unable to be met due to a legal constraint? Yes No



Section 3: Validation and Attestation Details

Part 3. PCI DSS Validation

This AOC is based on results noted in the ROC dated 3/4/2017.

Based on the results documented in the ROC noted above, the signatories identified in Parts 3b-3d, as

applicable, assert(s) the following compliance status for the entity identified in Part 2 of this document

(check one):

Compliant: All sections of the PCI DSS ROC are complete, all questions answered affirmatively,

resulting in an overall COMPLIANT rating; thereby Microsoft Azure has demonstrated full compliance

with the PCI DSS.

Non-Compliant: Not all sections of the PCI DSS ROC are complete, or not all questions are

answered affirmatively, resulting in an overall NON-COMPLIANT rating, thereby Microsoft Azure has

not demonstrated full compliance with the PCI DSS.

Target Date for Compliance: Not Applicable

An entity submitting this form with a status of Non-Compliant may be required to complete the Action

Plan in Part 4 of this document. Check with the payment brand(s) before completing Part 4.

Compliant but with Legal exception: One or more requirements are marked “Not in Place” due to a

legal restriction that prevents the requirement from being met. This option requires additional review

from acquirer or payment brand.

If checked, complete the following:

Affected Requirement Details of how legal constraint prevents requirement being met

Not Applicable Not Applicable

Part 3a. Acknowledgement of Status

Signatory(s) confirms:

(Check all that apply)

The ROC was completed according to the PCI DSS Requirements and Security Assessment

Procedures, Version 3.2, and was completed according to the instructions therein.

All information within the above-referenced ROC and in this attestation fairly represents the results of

my assessment in all material respects.

I have confirmed with my payment application vendor that my payment system does not store

sensitive authentication data after authorization.

I have read the PCI DSS and I recognize that I must maintain PCI DSS compliance, as applicable to

my environment, at all times.

If my environment changes, I recognize I must reassess my environment and implement any

additional PCI DSS requirements that apply.



Part 4. Action Plan for Non-Compliant Requirements

Select the appropriate response for “Compliant to PCI DSS Requirements” for each requirement. If you

answer “No” to any of the requirements, you may be required to provide the date your Company expects to be

compliant with the requirement and a brief description of the actions being taken to meet the requirement.

Check with the applicable payment brand(s) before completing Part 4.

PCI DSS

Requirement Description of Requirement

Compliant to PCI

DSS Requirements

(Select One)

Remediation Date and

Actions

(If “NO” selected for any

Requirement) YES NO

1 Install and maintain a firewall

configuration to protect cardholder data Not Applicable

2

Do not use vendor-supplied defaults for

system passwords and other security

parameters

Not Applicable

3 Protect stored cardholder data Not Applicable

4 Encrypt transmission of cardholder data

across open, public networks Not Applicable

5

Protect all systems against malware

and regularly update anti-virus software

or programs

Not Applicable

6 Develop and maintain secure systems

and applications Not Applicable

7 Restrict access to cardholder data by

business need to know Not Applicable

8 Identify and authenticate access to

system components Not Applicable

9 Restrict physical access to cardholder

data Not Applicable

10 Track and monitor all access to network

resources and cardholder data Not Applicable

11 Regularly test security systems and

processes Not Applicable

12 Maintain a policy that addresses

information security for all personnel Not Applicable

Appendix A1 Additional PCI DSS Requirements for

Shared Hosting Providers Not Applicable

Appendix A2 Additional PCI DSS Requirements for

Entities using SSL/early TLS Not Applicable

microsoft corporation non-disclosure agreement for ... · microsoft product, microsoft's...

Documents