Posted on February 25, 2021Pradeep Nair General Manager, Microsoft

More customers than ever are shopping from home in the current health environment, and companies are responding by rapidly deploying cloud-based e-commerce solutions. Azure is helping these companies meet their customers’ needs with robust, customizable, and scalable e-commerce solutions that process transactions quickly and securely. 

Security is paramount for both e-commerce providers and customers, and we are always working to make Azure as secure as possible. 

Today we’re announcing that Azure is one of the first hyperscale cloud service providers to achieve Payment Card Industry Three-Domain Secure (PCI 3DS) certification. 

Azure retained a qualified 3DS Assessor Company to conduct an assessment of Azure’s PCI 3-D Secure Environment (3DE) in accordance with the PCI 3DS Core Security Standard. The PCI 3DS Core Security provides a framework for implementing security controls that support the integrity and confidentiality of card-not-present transactions using the EMV 3-D Secure (3DS) messaging protocol. EMV 3DS provides an additional layer of security for card-not-present transactions by enabling cardholders to authenticate to their card issuers before making online transactions. 

The Azure cloud platform offers various product offerings that may be used by customers to support their own PCI 3DS payment solutions. Although the Azure cloud platform does not manage 3DS Domains or their functions, Azure’s PCI 3DS certification enables Azure customers to implement their own 3-D Secure Environment (3DE) on the Azure cloud platform and unblocks them from pursuing their own PCI 3DS certification. 

Azure’s PCI 3DS certification offers great news to customers looking to create more secure e-commerce solutions while complying with the PCI 3DS Core Security Standard.

Customers can download the Azure PCI 3DS 1.0 Package which contains all of the information necessary to leverage Azure’s PCI 3DS certification including the following documents as described below:
•    Azure PCI 3DS Shared Responsibility Matrix
•    Azure PCI 3DS White Paper
•    Azure PCI 3DS Attestation of Compliance

Azure PCI 3DS Shared Responsibility Matrix

The Azure PCI 3DS Shared Responsibility Matrix describes the Azure PCI 3DS assessment scope and illustrates the PCI 3DS compliance responsibilities for Azure and its customers. It is intended to be used by Azure customers and their compliance advisors to understand the scope of the Azure PCI 3DS assessment and expectations for responsibilities when using Azure services as part of the customer’s 3DE.
Understanding the shared responsibility for implementing security controls in a cloud environment is essential for customer building systems and utilizing services in Azure. The Azure PCI 3DS Shared Responsibility Matrix supports Azure customers implementing and documenting security controls for a system built on Azure by clearly delineating each PCI 3DS requirement’s responsibilities. Implementing a specific security control may be the responsibility of Azure, the responsibility of Azure’s customers, or a shared responsibility between Azure and its customers.

Azure PCI 3DS White Paper

Our new Microsoft Azure Cloud Platform for PCI 3DS White Paper provides guidance to Azure PCI 3DS customers on the PCI 3DS Core Security Standard and how the Azure 3DE can be utilized to implement a 3DE on the Azure cloud platform. The paper was produced on behalf of Microsoft Azure by Coalfire Systems, who conducted assessment activities including document reviews, staff interviews, and data center walkthroughs to validate the Azure 3DE against PCI 3DS Core Security Standard 1.0. The paper also examines the relationship between the PCI Data Security Standard (PCI DSS) and 3DS Core Security Standard and defines the responsibilities shared by Azure and its customers to meet the PCI 3DS Core Security Standard requirements.

Azure PCI 3DS Attestation of Compliance

Azure’s PCI 3DS Attestation of Compliance (AoC) provides evidence that Azure complies with the PCI 3DS Core Security Standard based on an assessment conducted by a qualified 3DS assessor company and is accessible through the Service Trust Portal. Azure’s PCI 3DS AoC was issued January 29, 2021.

Notes on PCI 3DS deployment on Azure

Customers should note that different cloud service models affect how responsibilities are shared between Azure and its customers. Azure does not directly perform the functions of a 3DS Server (3DSS), 3DS Directory Server (DS), or 3DS Access Control Server (ACS), and Azure customers may host their own 3DS environment on Azure using services offered. It is the customer’s responsibility to assess and understand their full scope of responsibility for implementing security controls and ensuring security controls are implemented in accordance with their compliance obligations.

A 3DS entity can choose to outsource the hosting and management of its hardware security module (HSM) infrastructure to a third-party service provider if the applicable requirements are met. Entities performing 3DS functions that use the Azure environment to host their 3DE are still subject to the PCI 3DS Core Security Standard and must have their environment assessed for all applicable requirements.

Microsoft continues to be at the forefront of e-commerce solutions to leverage the power of the cloud. Our e-commerce platform lets you analyze site traffic and browse-to-buy conversion rates to define special offers and new products based on customer behavior. Create personalized shopping experiences with targeted content and offers and increase satisfaction through ongoing engagement—before, after, and at the point of sale. When demand for your products or services takes off—predictably or unpredictably—be prepared to handle more customers and more transactions automatically.