0

I am creating an azure based application that must be pci compliant. There is an understanding within my company that to meet this compliancy any personally identifiable information (PII) should be stored encrypted.

I have a number of questions.

Is it true that pci compliance means encrypting PII within the data store?

What are my options with this on Azure?

I would like to be storing data in documentdb as this would be the closest match to the format of the data within the application. Most of the data is document based and json. Would this meet the PCI compliance standards?

Does it make a difference if the data store that contains payment and card info is different to that containing the PII?

Machavity
  • 30,841
  • 27
  • 92
  • 100
Mark W
  • 705
  • 1
  • 9
  • 20
  • I don't think Azure storage supports any sort of encryption, but Azure SQL supports it on the v12 server: https://msdn.microsoft.com/en-us/library/Dn948096.aspx – mfanto Aug 12 '15 at 20:16

3 Answers3

1

The question regarding what PCI compliance requires is best directed to your organization's compliance officer. They are the one that will ultimately have to "sign off" on your solution so they control the specifications you're working towards.

As for what your options are, mfanto pointed out the SQL support for the new tiers. There's also Azure Storage which now has encryption extensions. Document DB doesn't have anything yet to my knowledge. And if you're running your own database, Windows VMs have had support for bitlocker drive encryption on data drives for some time now.

BrentDaCodeMonkey
  • 5,493
  • 20
  • 18
  • 1
    If only we did have a compliance officer, then it would be easy :-) – Mark W Aug 12 '15 at 20:54
  • Correct, DocumentDB doesn't have encryption of data at rest, yet. You could take the approach that Storage has done and implement encryption at the client, before committing the data to the cloud. This would work fine if you didn't need to query the encrypted data. So, leave the data you need to query on in clear text so DocumentDB can index it, and encrypt (client-side) the data you need to protect. – Ryan CrawCour Aug 13 '15 at 02:19
  • there are many companies that you can engage with to do a PCI Compliance audit for you. any one of these should be able to tell you what the requirements for PCI are. – Ryan CrawCour Aug 13 '15 at 02:21
  • My preference would be to use Azure as Pass rather than Iaas. If I can avoid VMs then I will. – Mark W Aug 13 '15 at 10:40
  • If you were willing to use a relational database, Azure SQL DB provides transparent data encryption that is very easy to implement. https://msdn.microsoft.com/library/dn948096.aspx – Mark Brown Aug 13 '15 at 10:49
0

While the sample uses local files, it should be noted that Azure Encryption Extensions supports streams as well for all upload/download methods - and nothing is ever written to disk (streams are encrypted/decrypted on the fly).

UploadFromStreamEncrypted(...) DownloadToStreamEncrypted(...)

https://github.com/stefangordon/azure-encryption-extensions/blob/master/AzureEncryptionExtensionsTests/FunctionalTests.cs#L107

StefanGordon
  • 1,499
  • 15
  • 7
0

Cosmos DB (formerly DocumentDB) now supports encryption-at-rest. It is enabled by default in every region. There is no impact to cost or performance SLA. Note: The local emulator does not support encryption-at-rest (though the emulator is only for dev/test purposes).

As far as compliance goes, you'll need to talk with a compliance/legal expert for that.

For more info on Cosmos DB encryption-at-rest, see this post.

David Makogon
  • 69,407
  • 21
  • 141
  • 189