0
votes

Question about PCI-DSS compliance when a website is hosted in the cloud.

So, the website has a form asking for credit card details.

This form is then posted back into my site and the card details are manipulated into an xml message which is then sent to a 3rd party web service which is certified to be PCI compliant - this 3rd Party service in turn sends the details to a card processor and the result is returned to my website again via the 3rd party service.

Main question is - does my website need to be compliant? - does that manipulation into the xml message constitute processing it?

The main point is that the website is hosted in Microsoft Azure and I've just read various things about itself not being compliant and if I'm then using it to effectively process...??

many thanks

2

2 Answers

1
votes

UPDATE: Azure is now Level 1 compliant. http://blogs.msdn.com/b/niallsblog/archive/2014/01/16/mid-january-azure-update.aspx

Yes, if the data is posted to your server then it needs to be PCI compliant. This rules out Azure. You'll either need to host that part of your architecture in a compliant system or post directly from the browser to the 3rd party service.

0
votes

As of Jan 2014 Azure seems to have achieved compliance see the link below for their attestation of compliance.

Azure attestation of compliance