DocuSign Envelope ID: 174F914A-1EFB-4429-8AE8-1A478A85EC61

Payment Card Industry (PCI)

Data Security Standard

Attestation of Compliance for

Onsite Assessments – Service Providers
Version 3.2.1
June 2018
DocuSign Envelope ID: 174F914A-1EFB-4429-8AE8-1A478A85EC61

Section 1: Assessment Information

Instructions for Submission
This Attestation of Compliance must be completed as a declaration of the results of the service provider’s
assessment with the Payment Card Industry Data Security Standard Requirements and Security Assessment
Procedures (PCI DSS). Complete all sections: The service provider is responsible for ensuring that each
section is completed by the relevant parties, as applicable. Contact the requesting payment brand for reporting
and submission procedures.

Part 1. Service Provider and Qualified Security Assessor Information

Part 1a. Service Provider Organization Information
Company Name: Microsoft Corporation - DBA (doing Not Applicable
Microsoft Azure Cloud business as):
Computing Platform &
Services
Contact Name: Pradeep Nair Title: Senior Director – Azure
Telephone: (425) 703-9671 E-mail: pradnair@microsoft.com
Business Address: One Microsoft Way City: Redmond
State/Province: WA Country: USA Zip: 98052
URL: https://azure.microsoft.com

Part 1b. Qualified Security Assessor Company Information (if applicable)

Company Name: Coalfire Systems, Inc.
Lead QSA Contact Name: Divya Jeyachandran Title: Senior Manager, QSA
Telephone: (303) 554-6333 E-mail: CoalfireSubmission@coalfire.com
Business Address: 11000 Westmoor Cir Ste City: Westminster
450
State/Province: CO Country: USA Zip: 80021
URL: https://www.coalfire.com

PCI DSS v3.2.1 Attestation of Compliance for Onsite Assessments – Service Providers, Rev. 1.0 June 2018
© 2006-2018 PCI Security Standards Council, LLC. All Rights Reserved. Page 2
DocuSign Envelope ID: 174F914A-1EFB-4429-8AE8-1A478A85EC61

Part 2. Executive Summary

Part 2a. Scope Verification
Services that were INCLUDED in the scope of the PCI DSS Assessment (check all that apply):
Name of service(s) assessed: Microsoft Azure Public Cloud
Type of service(s) assessed:
Hosting Provider: Managed Services (specify): Payment Processing:
Applications / software Systems security services POS / card present
Hardware IT support Internet / e-commerce
Infrastructure / Network Physical security MOTO / Call Center
Physical space (co-location) Terminal Management System ATM
Storage Other services (specify): Other processing (specify):
Web
Security services
3-D Secure Hosting Provider
Shared Hosting Provider
Other Hosting (specify):

Account Management Fraud and Chargeback Payment Gateway/Switch

Back-Office Services Issuer Processing Prepaid Services
Billing Management Loyalty Programs Records Management
Clearing and Settlement Merchant Services Tax/Government Payments
Network Provider
Others (specify):
Note: These categories are provided for assistance only, and are not intended to limit or predetermine
an entity’s service description. If you feel these categories don’t apply to your service, complete
“Others.” If you’re unsure whether a category could apply to your service, consult with the applicable
payment brand.

PCI DSS v3.2.1 Attestation of Compliance for Onsite Assessments – Service Providers, Rev. 1.0 June 2018
© 2006-2018 PCI Security Standards Council, LLC. All Rights Reserved. Page 3
DocuSign Envelope ID: 174F914A-1EFB-4429-8AE8-1A478A85EC61

Part 2a. Scope Verification (continued)

Services that are provided by the service provider but were NOT INCLUDED in the scope of
the PCI DSS Assessment (check all that apply):
Name of service(s) not assessed: None
Type of service(s) not assessed:
Hosting Provider: Managed Services (specify): Payment Processing:
Applications / software Systems security services POS / card present
Hardware IT support Internet / e-commerce
Infrastructure / Network Physical security MOTO / Call Center
Physical space (co-location) Terminal Management System ATM
Storage Other services (specify): Other processing (specify):
Web
Security services
3-D Secure Hosting Provider
Shared Hosting Provider
Other Hosting (specify):

Account Management Fraud and Chargeback Payment Gateway/Switch

Back-Office Services Issuer Processing Prepaid Services
Billing Management Loyalty Programs Records Management
Clearing and Settlement Merchant Services Tax/Government Payments
Network Provider
Others (specify):
Provide a brief explanation why any checked services Not Applicable
were not included in the assessment:

PCI DSS v3.2.1 Attestation of Compliance for Onsite Assessments – Service Providers, Rev. 1.0 June 2018
© 2006-2018 PCI Security Standards Council, LLC. All Rights Reserved. Page 4
DocuSign Envelope ID: 174F914A-1EFB-4429-8AE8-1A478A85EC61

Part 2b. Description of Payment Card Business

Describe how and in what capacity your business Microsoft Azure does not directly store, process or
stores, processes, and/or transmits cardholder data. transmit cardholder data (CHD). Azure hosts tenant
customers that may operate ecommerce, and financial
systems within their allocated resources and may store,
process, or transmit cardholder data (CHD).

Describe how and in what capacity your business is Microsoft Azure Cloud Computing Platform & Services
otherwise involved in or has the ability to impact the (Azure) is a cloud service provider, offering Infrastructure
security of cardholder data. as a Service (IaaS) and Platform as a Service (PaaS)
services and associated services to customers of all
sizes, from individuals up to multi-national enterprises.
As a Level 1 Service Provider, Azure offers hardware,
infrastructure, and computing platforms for customers to
build, deploy, and manage applications and services.
Microsoft Azure does this through a global network of
Microsoft Corporation data centers and third-party
managed data centers. Azure supports both Platform as
a Service (PaaS) and Infrastructure as a Service (IaaS)
offerings. Azure product offerings are designed to meet
their customers’ security, privacy, uptime, and
compliance requirements. Azure physical infrastructure
is owned and managed by Microsoft Cloud Infrastructure
and Operations (MCIO), which is included in this
assessment.

Microsoft Azure does not directly store, process or

transmit cardholder data (CHD).

Part 2c. Locations

List types of facilities (for example, retail outlets, corporate offices, data centers, call centers, etc.) and a
summary of locations included in the PCI DSS review.
Type of facility: Number of facilities of this Location(s) of facility (city, country):
type
Data Centers 54 North America
1. Phoenix, AZ (PHX20)
2. Santa Clara, CA (BY1/2/3/4/21/22/24/30)
3. Des Moines, IA (DM1/2/3, DSM05/06)
4. Chicago, IL (CH1/3, CHI20/21)
5. San Antonio, TX (SN1/2/3/4/5/6)
6. Ashburn, VA (BL2/3/5/6/7)
7. Boydton, VA (BN1/3/4/5/6/7)
8. Bristow, VA (BLU)
9. Reston, VA (BL4/30)
10. Quincy, WA (CO1/2, MWH01/02)
11. Cheyenne, WY (CYS01/04)
12. San Jose, CA (SJC31)
13. New York, NY (NYC)

PCI DSS v3.2.1 Attestation of Compliance for Onsite Assessments – Service Providers, Rev. 1.0 June 2018
© 2006-2018 PCI Security Standards Council, LLC. All Rights Reserved. Page 5
DocuSign Envelope ID: 174F914A-1EFB-4429-8AE8-1A478A85EC61

14. Stirling, VA (BL20)

15. Toronto, Canada (YTO20, YTO01)
16. Quebec City, Canada (YQB20)
17. Mexico City, Mexico (MEX30)
18. Alpharetta, GA (ATL05)
19. Ogden, UT (SLC01)
20. Tulsa, OK (TUL04)

EMEA
1. Vienna, Austria (VIE)
2. Vantaa, Finland (HEL01)
3. Amsterdam, Netherlands (AM1/2/3,
AMS04/05/06/20/21)
4. Billingham, United Kingdom (MME20)
5. Chessington, United Kingdom (LON20/21)
6. Cardiff, United Kingdom (CWL20)
7. Dublin, Ireland (DBC, DB3/4/5, DUB06/07/08/20/24)
8. Paris, France (PAR02/20/21/22)
9. Marseille, France (MRS20)
10. Copenhagen, Denmark (CPH30)
11. Milan, Italy (MIL30)
12. Stockholm, Sweden (STO)
13. Bettembourg, Luxembourg (LUA)
14. Johannesburg, South Africa (JNB20/21/22)
15. Cape Town, South Africa (CPT20)

Asia
1. Hong Kong (HK1/2/20)
2. Mumbai, India (BOM01)
3. Dighi, India (PNQ01)
4. Ambattur, India (MAA01)
5. Osaka, Japan (OSA01/02/20)
6. Tokyo, Japan (KAW, TYO01/20/21/22)
7. Cyberjaya, Malaysia (KUL01)
8. Singapore (SG1/2/3, SIN20)
9. Busan, South Korea (PUS01, PUS20)
10. Seoul, South Korea (SEL20)

South America
1. Campinas, Brazil (CPQ01/02)
2. Fortaleza, Brazil (FOR01)
3. Rio de Janeiro, Brazil (RIO01)
4. Sao Paulo, Brazil (GRU)
5. Santiago, Chile (SCL01)
6. Fortaleza, Brazil (FOR01)

Australia
1. Macquarie Park, Australia (SYD03/21/22/23)

PCI DSS v3.2.1 Attestation of Compliance for Onsite Assessments – Service Providers, Rev. 1.0 June 2018
© 2006-2018 PCI Security Standards Council, LLC. All Rights Reserved. Page 6
DocuSign Envelope ID: 174F914A-1EFB-4429-8AE8-1A478A85EC61

2. Melbourne, Australia (MEL01/20)

3. Canberra, Australia (CBR20/21)

Part 2d. Payment Applications

Does the organization use one or more Payment Applications? Yes No
Provide the following information regarding the Payment Applications your organization uses:
Payment Application Version Application Is application PA-DSS Listing Expiry
Name Number Vendor PA-DSS Listed? date (if applicable)
Not Applicable Not Applicable Not Applicable Not Applicable Not Applicable

Part 2e. Description of Environment

Microsoft Azure offers its customers IaaS and PaaS solutions,
Provide a high-level description of the
which may be used by customers to host their cardholder data
environment covered by this assessment.
environment (CDE) to store, process, or transmit CHD.
For example:
• Connections into and out of the
cardholder data environment (CDE). Technologies:
• Critical system components within the • Operating Systems: including Windows server and client
CDE, such as POS devices, databases, versions
web servers, etc., and any other • Virtualization: custom hypervisors to manage resources and
necessary payment components, as enhance isolation of multi-tenant client environments and
applicable. realize efficiencies
• Databases: multiple vendors and versions, supporting service
implementations in the background, and as services for
clients themselves.
• Web portals for client and service management
• Administrative Workstations: Connects the web portals used
for the services from RDP and VPN technologies.
• Remote Desktop Protocol (RDP): enabling remote access for
administrative work from administrative workstations and
client access
• Virtual Private Network (VPN): enabling remote access for
administrative workstations and client access
• Jump boxes: to increase logical isolation of customer
environment.
• Network devices: Firewalls to filter traffic to/from the CDE and
between the client and management networks. Routers,
switches architected in a tiered design to enhance
management and isolation of CDE traffic.
• Anti-malware: both industry solutions and custom endpoint
protection for service and client virtual machines
• Vulnerability scanning: both internal and external, both
service-focused and on client resources
• Change management: software to track and record approval
of infrastructure and software changes
• Encryption: custom implementations, including HSM and
Secret Store service, which offers secure, encrypted storage

PCI DSS v3.2.1 Attestation of Compliance for Onsite Assessments – Service Providers, Rev. 1.0 June 2018
© 2006-2018 PCI Security Standards Council, LLC. All Rights Reserved. Page 7
DocuSign Envelope ID: 174F914A-1EFB-4429-8AE8-1A478A85EC61

for Microsoft Azure and customer secrets and encryption

keys

Does your business use network segmentation to affect the scope of your PCI DSS Yes No
environment?
(Refer to “Network Segmentation” section of PCI DSS for guidance on network
segmentation)

Part 2f. Third-Party Service Providers

Does your company have a relationship with a Qualified Integrator & Reseller (QIR) for Yes No
the purpose of the services being validated?

If Yes:

Name of QIR Company: Not Applicable

QIR Individual Name: Not Applicable

Description of services provided by QIR: Not Applicable

Does your company have a relationship with one or more third-party service providers (for Yes No
example, Qualified Integrator Resellers (QIR), gateways, payment processors, payment
service providers (PSP), web-hosting companies, airline booking agents, loyalty program
agents, etc.) for the purpose of the services being validated?

If Yes:

Name of service provider: Description of services provided:

Not Applicable Not Applicable

Note: Requirement 12.8 applies to all entities in this list.

PCI DSS v3.2.1 Attestation of Compliance for Onsite Assessments – Service Providers, Rev. 1.0 June 2018
© 2006-2018 PCI Security Standards Council, LLC. All Rights Reserved. Page 8
DocuSign Envelope ID: 174F914A-1EFB-4429-8AE8-1A478A85EC61

Part 2g. Summary of Requirements Tested

For each PCI DSS Requirement, select one of the following:
• Full – The requirement and all sub-requirements of that requirement were assessed, and no sub-
requirements were marked as “Not Tested” or “Not Applicable” in the ROC.
• Partial – One or more sub-requirements of that requirement were marked as “Not Tested” or “Not
Applicable” in the ROC.
• None – All sub-requirements of that requirement were marked as “Not Tested” and/or “Not Applicable”
in the ROC.
For all requirements identified as either “Partial” or “None,” provide details in the “Justification for Approach”
column, including:
• Details of specific sub-requirements that were marked as either “Not Tested” and/or “Not Applicable” in
the ROC
• Reason why sub-requirement(s) were not tested or not applicable
Note: One table to be completed for each service covered by this AOC. Additional copies of this section are
available on the PCI SSC website.

Name of Service Assessed: Assessed Services:

Azure

• AI + Machine Learning
o Azure Batch AI
o Azure Bot Service
o Azure Machine Learning Service
o Azure Search
o Cognitive Services
▪ Cognitive Services Platform
▪ Computer Vision
▪ Content Moderator
▪ Custom Speech
▪ Custom Vision
▪ Emotion
▪ Face
▪ Language Understanding
▪ QnA Maker
▪ Speech to Text
▪ Speech Translation
▪ Text Analytics
▪ Text to Speech
▪ Translator Text
▪ Video Indexer

PCI DSS v3.2.1 Attestation of Compliance for Onsite Assessments – Service Providers, Rev. 1.0 June 2018
© 2006-2018 PCI Security Standards Council, LLC. All Rights Reserved. Page 9
DocuSign Envelope ID: 174F914A-1EFB-4429-8AE8-1A478A85EC61

o Machine Learning Studio

• Analytics
o Azure Analysis Services
o Azure Data Explorer
o Azure Data Lake Storage
o Azure Stream Analytics
o Data Catalog
o Data Lake Analytics
o Event Hubs
o HDInsight
o Power BI Embedded
o SQL Data Warehouse

• Compute
o App Service
▪ App Service: API Apps
▪ App Service: Mobile Apps
▪ App Service: Web Apps
o Azure Batch AI
o Azure Kubernetes Service (AKS)
o Batch
o Cloud Services
o Container Instances
o Azure Functions
o Service Fabric
o SQL Server on Virtual Machines
o Virtual Machines
o Azure Reserved Virtual Machine Instances
o Virtual Machine Scale Sets

• Containers
o App Service
▪ App Service: API Apps
▪ App Service: Mobile Apps
▪ App Service: Web Apps
o Azure Kubernetes Service (AKS)
o Azure Functions
o Container Instances
o Container Registry

PCI DSS v3.2.1 Attestation of Compliance for Onsite Assessments – Service Providers, Rev. 1.0 June 2018
© 2006-2018 PCI Security Standards Council, LLC. All Rights Reserved. Page 10
DocuSign Envelope ID: 174F914A-1EFB-4429-8AE8-1A478A85EC61

o Service Fabric

• Databases
o Azure Cache for Redis
o Azure Cosmos DB
o Azure SQL Database
o Azure Database for MySQL
o Azure Database for PostgreSQL
o Azure Database Migration Service
o SQL Data Warehouse
o SQL Server on Virtual Machines
o SQL Server Stretch Database

• Developer Tools
o Azure DevTest Labs
o Azure Lab Services
• DevOps
o Azure DevTest Labs

• Identity
o Azure Active Directory (Free, Basic, Premium)
o Azure Active Directory B2C
o Azure Active Directory Domain Services
o Azure Information Protection (including Azure Rights
Management)
• Integration
o API Management
o Event Grid
o Logic Apps
o Service Bus

• Internet of Things
o API Management
o Azure Cosmos DB
o Azure Machine Learning Service
o Azure Maps
o Azure Functions
o Azure IoT Central
o Azure IoT Hub
o Azure Stream Analytics
o Azure Time Series Insights

PCI DSS v3.2.1 Attestation of Compliance for Onsite Assessments – Service Providers, Rev. 1.0 June 2018
© 2006-2018 PCI Security Standards Council, LLC. All Rights Reserved. Page 11
DocuSign Envelope ID: 174F914A-1EFB-4429-8AE8-1A478A85EC61

o Event Grid
o Logic Apps
o Machine Learning Studio
o Notification Hubs

• Management and Governance

o Azure Advisor
o Azure Backup
o Azure Migrate
o Azure Monitor
o Azure Policy
o Azure Resource Manager
o Azure Site Recovery
o Automation
o Cloud Shell
o Microsoft Azure Portal
o Network Watcher
o Scheduler
o Traffic Manager

• Media
o Microsoft Content Delivery Network
o Media Services
o Video Indexer

• Migration
o Azure Database Migration Service
o Azure Migrate
o Azure Site Recovery
o Data Box

• Mobile
o App Service
▪ App Service: API Apps
▪ App Service: Mobile Apps
▪ App Service: Web Apps
o Azure Maps
o Notification Hubs

• Networking
o Application Gateway
o Azure DDoS Protection

PCI DSS v3.2.1 Attestation of Compliance for Onsite Assessments – Service Providers, Rev. 1.0 June 2018
© 2006-2018 PCI Security Standards Council, LLC. All Rights Reserved. Page 12
DocuSign Envelope ID: 174F914A-1EFB-4429-8AE8-1A478A85EC61

o Azure DNS
o Azure Firewall
o Azure Front Door Service
o ExpressRoute
o Load Balancer
o Microsoft Content Delivery Network
o Network Watcher
o Traffic Manager
o Virtual Network
o VPN Gateway

• Security
o Application Gateway
o Azure Active Directory (Free, Basic, Premium)
o Azure Active Directory Domain Services
o Azure Advanced Threat Protection
o Azure DDoS Protection
o Azure Information Protection
o Key Vault
o Security Center
o VPN Gateway

• Storage
o Archive Storage
o Azure Backup
o Azure Data Lake Storage
o Data Box
o Import/Export
o Site Recovery
o Storage (Blobs, Disks, Files, Queues, Tables) including Cool
and Premium
o StorSimple

• Web
o API Management
o App Service
▪ App Service: API Apps
▪ App Service: Mobile Apps
▪ App Service: Web Apps
o Azure Search

PCI DSS v3.2.1 Attestation of Compliance for Onsite Assessments – Service Providers, Rev. 1.0 June 2018
© 2006-2018 PCI Security Standards Council, LLC. All Rights Reserved. Page 13
DocuSign Envelope ID: 174F914A-1EFB-4429-8AE8-1A478A85EC61

o Microsoft Content Delivery Network

o Notification Hubs

Online services

• Microsoft Cloud App Security

• Microsoft Flow

• Microsoft Graph

• Microsoft Intune

• Microsoft Power BI (Including Embedded)

• Microsoft PowerApps

• Microsoft Stream

Azure Internal Support Services

• AAD Application Proxy

• AAD Connect Health

• AAD Gateway
• AAD SyncFabric

• Acis – Live Site Management

• Active Directory Ibiza UX – RBAC

• ADRS

• Azure Data Movement

• Azure Security Monitoring (ASM SLAM)

• Azure Watson

• CEDIS – Active Directory

• Compute Manager

• dSMS

• dSTS

• Enterprise Apps
• ESTS

• Fabric Network Devices

• Geneva Warm Path

• Hybrid Identity Service

• IAM – Data Insights and Reporting Service

• IAM – Information Worker UX

• IAM – Management Admin UX

PCI DSS v3.2.1 Attestation of Compliance for Onsite Assessments – Service Providers, Rev. 1.0 June 2018
© 2006-2018 PCI Security Standards Council, LLC. All Rights Reserved. Page 14
DocuSign Envelope ID: 174F914A-1EFB-4429-8AE8-1A478A85EC61

• IAM – Self Service Credentials Management Service

• IAM – Shared Backend Services

• ICM Incident Management Service

• IDNS/RRs

• JIT

• Kusto

• MSODS

• OrgId

• Pilotfish
• Policy Administration Service

• RDFE

• RDOS

• Resource Providers:
o Compute Resource Provider (CRP)
o Network Resource Provider (NRP)
o Storage Resource Provider (SRP)

• Secret Store Service

• Self Service Group Management

• WANetMon
• WARM

• WATM

• Windows Azure Jumpbox

• Workflow

Details of Requirements Assessed

Justification for Approach
PCI DSS (Required for all “Partial” and “None” responses. Identify which
Requirement Full Partial None sub-requirements were not tested and the reason.)

Requirement 1: Requirement 1.3.6 – N/A, Microsoft Azure does not directly

store, process or transmit cardholder data on any in-scope
systems components.

Requirement 2: Requirement 2.1.1 - N/A, No wireless environment in-

scope within the Microsoft Azure Environment
Requirement 2.2.3 – N/A. No insecure services, daemons,
or protocols are enabled.
Requirement 2.6 – N/A, Microsoft Azure is not a shared
hosting provider.

PCI DSS v3.2.1 Attestation of Compliance for Onsite Assessments – Service Providers, Rev. 1.0 June 2018
© 2006-2018 PCI Security Standards Council, LLC. All Rights Reserved. Page 15
DocuSign Envelope ID: 174F914A-1EFB-4429-8AE8-1A478A85EC61

Requirement 3: Requirement(s) 3.1, 3.2, 3.3, 3.4, 3.6, 3.6.6 - N/A, Microsoft
Azure does not directly store, process or transmit
cardholder data on any in-scope systems components

Requirement 4: Requirement(s) 4.1.1 – N/A, There are no wireless

networks transmitting cardholder data or connected to the
Microsoft Azure environment.

Requirement 5: Requirement 5.1.2 – N/A, no systems within the Microsoft

Azure environment are considered to be not commonly
affected by malicious software without anti-virus software
installed

Requirement 6: Requirement 6.4.6 – N/A, no significant change occurred

within the past 12 months within the environment.

Requirement 7:

Requirement 8: Requirement 8.1.5 – N/A, Microsoft Azure does not allow

any vendors to access the Microsoft Azure environment
remotely
Requirement 8.7 – N/A, Microsoft Azure does not directly
store, process or transmit cardholder data on any in-scope
systems components.

Requirement 9: Requirement(s) 9.5.1, 9.6, 9.6.2, 9.6.3, 9.7, 9.7.1 – N/A,

Microsoft Azure does not utilize any media including
removable media containing sensitive data to be moved
outside the data centers.
Requirement 9.9, 9.9.1, 9.9.2, 9.9.3 – N/A, Microsoft Azure
does not directly process any card-present transactions
from any system including point-of-sale (POS) devices.

Requirement 10: Requirement 10.2.1 – N/A, Microsoft Azure does not

directly store any cardholder data within the in-scope
systems.

Requirement 11: Requirement 11.1.1 – N/A, No wireless environment in-

scope within the Microsoft Azure environment.
Requirement 11.2.3 – N/A, No material changes to the
Microsoft Azure environment occurred that would have
required an unscheduled scan

Requirement 12: Requirement 12.3.9 – N/A, Microsoft Azure does not allow
third-party/vendor remote access into its applications and
system components.
Requirement 12.3.10 - Not Applicable, Azure does not
directly store, process or transmit cardholder data on any
in-scope systems components and storage and customers.
Requirement(s) 12.8.1, 12.8.2, 12.8.3, 12.8.4, 12.8.5 – Not
applicable, Azure does not leverage third party service
providers to secure the in-scope environment.

PCI DSS v3.2.1 Attestation of Compliance for Onsite Assessments – Service Providers, Rev. 1.0 June 2018
© 2006-2018 PCI Security Standards Council, LLC. All Rights Reserved. Page 16
DocuSign Envelope ID: 174F914A-1EFB-4429-8AE8-1A478A85EC61

Appendix A1: A1.1, A1.2, A1.3, A1.4 - N/A, Microsoft Azure is not a
shared hosting provider

Appendix A2: A2.1 – N/A, Microsoft Azure does not directly process any
card-present transactions from any system including point-
of-sale (POS) devices.
A2.2 – N/A, Microsoft Azure does not directly process any
card-present transactions from any system including point-
of-sale (POS) devices.

PCI DSS v3.2.1 Attestation of Compliance for Onsite Assessments – Service Providers, Rev. 1.0 June 2018
© 2006-2018 PCI Security Standards Council, LLC. All Rights Reserved. Page 17
DocuSign Envelope ID: 174F914A-1EFB-4429-8AE8-1A478A85EC61

Section 2: Report on Compliance

This Attestation of Compliance reflects the results of an onsite assessment, which is documented in an
accompanying Report on Compliance (ROC).

The assessment documented in this attestation and in the ROC was completed 3/1/2019
on:
Have compensating controls been used to meet any requirement in the ROC? Yes No

Were any requirements in the ROC identified as being not applicable (N/A)? Yes No

Were any requirements not tested? Yes No

Were any requirements in the ROC unable to be met due to a legal constraint? Yes No

PCI DSS v3.2.1 Attestation of Compliance for Onsite Assessments – Service Providers, Rev. 1.0 June 2018
© 2006-2018 PCI Security Standards Council, LLC. All Rights Reserved. Page 18
DocuSign Envelope ID: 174F914A-1EFB-4429-8AE8-1A478A85EC61

Section 3: Validation and Attestation Details

Part 3. PCI DSS Validation

This AOC is based on results noted in the ROC dated 3/1/2019.
Based on the results documented in the ROC noted above, the signatories identified in Parts 3b-3d, as
applicable, assert(s) the following compliance status for the entity identified in Part 2 of this document
(check one):

Compliant: All sections of the PCI DSS ROC are complete, all questions answered affirmatively,
resulting in an overall COMPLIANT rating; thereby Microsoft Corporation - Microsoft Azure Cloud has
demonstrated full compliance with the PCI DSS.

Non-Compliant: Not all sections of the PCI DSS ROC are complete, or not all questions are
answered affirmatively, resulting in an overall NON-COMPLIANT rating, thereby N/A has not
demonstrated full compliance with the PCI DSS.
Target Date for Compliance: N/A
An entity submitting this form with a status of Non-Compliant may be required to complete the Action
Plan in Part 4 of this document. Check with the payment brand(s) before completing Part 4.

Compliant but with Legal exception: One or more requirements are marked “Not in Place” due to a
legal restriction that prevents the requirement from being met. This option requires additional review
from acquirer or payment brand.
If checked, complete the following:

Affected Requirement Details of how legal constraint prevents requirement being met
Not Applicable Not Applicable

Part 3a. Acknowledgement of Status

Signatory(s) confirms:
(Check all that apply)

The ROC was completed according to the PCI DSS Requirements and Security Assessment
Procedures, Version 3.2.1, and was completed according to the instructions therein.
All information within the above-referenced ROC and in this attestation fairly represents the results of
my assessment in all material respects.
I have confirmed with my payment application vendor that my payment system does not store
sensitive authentication data after authorization.
I have read the PCI DSS and I recognize that I must maintain PCI DSS compliance, as applicable to
my environment, at all times.
If my environment changes, I recognize I must reassess my environment and implement any
additional PCI DSS requirements that apply.

PCI DSS v3.2.1 Attestation of Compliance for Onsite Assessments – Service Providers, Rev. 1.0 June 2018
© 2006-2018 PCI Security Standards Council, LLC. All Rights Reserved. Page 19
DocuSign Envelope ID: 174F914A-1EFB-4429-8AE8-1A478A85EC61

Part 3a. Acknowledgement of Status (continued)

No evidence of full track data1, CAV2, CVC2, CID, or CVV2 data2, or PIN data3 storage after
transaction authorization was found on ANY system reviewed during this assessment.
ASV scans are being completed by the PCI SSC Approved Scanning Vendor Qualys (Certificate
number 3728-01-13)

Part 3b. Service Provider Attestation

Signature of Service Provider Executive Officer  Date: 3/8/2019

Service Provider Executive Officer Name: Pradeep Nair Title: Senior Director – Azure

Part 3c. Qualified Security Assessor (QSA) Acknowledgement (if applicable)

If a QSA was involved or assisted with this Conducted PCI DSS v3.2.1 remote and onsite assessment and
assessment, describe the role performed: documented compliance results in the Report on Compliance
(ROC) and the associated Attestation of Compliance (AOC).

Signature of Duly Authorized Officer of QSA Company  Date: 3/8/2019

Duly Authorized Officer Name: Divya Jeyachandran QSA Company: Coalfire Systems, Inc.

Part 3d. Internal Security Assessor (ISA) Involvement (if applicable)

If an ISA(s) was involved or assisted with Alan Luk – Gathered required evidence, coordinated in identifying
this assessment, identify the ISA personnel appropriate stakeholders and interviewees, assisted in the
and describe the role performed: interviewing process, served as the primary point of contact
between Coalfire and Microsoft executive management.

1
Data encoded in the magnetic stripe or equivalent data on a chip used for authorization during a card-present transaction. Entities
may not retain full track data after transaction authorization. The only elements of track data that may be retained are primary
account number (PAN), expiration date, and cardholder name.
2
The three- or four-digit value printed by the signature panel or on the face of a payment card used to verify card-not-present
transactions.
3
Personal identification number entered by cardholder during a card-present transaction, and/or encrypted PIN block present
within the transaction message.
PCI DSS v3.2.1 Attestation of Compliance for Onsite Assessments – Service Providers, Rev. 1.0 June 2018
© 2006-2018 PCI Security Standards Council, LLC. All Rights Reserved. Page 20
DocuSign Envelope ID: 174F914A-1EFB-4429-8AE8-1A478A85EC61

Part 4. Action Plan for Non-Compliant Requirements

Select the appropriate response for “Compliant to PCI DSS Requirements” for each requirement. If you
answer “No” to any of the requirements, you may be required to provide the date your Company expects to be
compliant with the requirement and a brief description of the actions being taken to meet the requirement.
Check with the applicable payment brand(s) before completing Part 4.
Compliant to PCI Remediation Date and
PCI DSS DSS Requirements Actions
Description of Requirement
Requirement (Select One) (If “NO” selected for any
YES NO Requirement)

Install and maintain a firewall

1
configuration to protect cardholder data
Do not use vendor-supplied defaults for
2 system passwords and other security
parameters

3 Protect stored cardholder data

Encrypt transmission of cardholder data

4
across open, public networks
Protect all systems against malware
5 and regularly update anti-virus software
or programs
Develop and maintain secure systems
6
and applications
Restrict access to cardholder data by
7
business need to know
Identify and authenticate access to
8
system components
Restrict physical access to cardholder
9
data
Track and monitor all access to network
10
resources and cardholder data
Regularly test security systems and
11
processes
Maintain a policy that addresses
12
information security for all personnel
Additional PCI DSS Requirements for
Appendix A1
Shared Hosting Providers
Additional PCI DSS Requirements for
Appendix A2 Entities using SSL/early TLS for Card-
Present POS POI Terminal Connections

PCI DSS v3.2.1 Attestation of Compliance for Onsite Assessments – Service Providers, Rev. 1.0 June 2018
© 2006-2018 PCI Security Standards Council, LLC. All Rights Reserved. Page 21