Is Office 365 PCI Compliant?

TL;DR:

• Microsoft Compliance Manager can assess compliance risks associated with PCI DSS, however Office 365 is not automatically PCI compliant out of the box.
• When configured correctly with security mechanisms in place Office 365 can be used to store PCI data in a compliant way.
• Even when configured correctly, there is an ongoing risk of sensitive PCI data being leaked from Office 365.
• The new PCI DSS 4.0 introduces new requirements, including stricter controls around handling payment card / PAN data.
• Organizations are advised against storing cardholder data unless absolutely necessary. Where data is stored, organizations should implement strict access controls and data encryption.

Can You Store PCI Data in Office 365?

Office 365 is a suite of cloud-based software applications owned by Microsoft. As one of the largest and commonly used cloud-service providers, Microsoft has taken steps to ensure many of its products comply with the Payment Card Industry (PCI) Data Security Standards (DSS).

For example, Microsoft includes a Compliance Manager within Office 365 that can be used to assess your organization’s compliance risks. The compliance manager can be used to identify which actions you should take to reduce your compliance risks, such as setting up access controls. 

Note that Office 365 is not PCI DSS compliant straight out of the box and that Microsoft advises against using Microsoft 365 to store card and cardholder information, however your organization can configure Office 365 to bring it into compliance with PCI DSS. Keep in mind that, if you choose to store PCI data within Office 365, your organization is wholly responsible for ensuring compliance with PCI DSS.

Can PCI Data be Leaked from Office 365?

Achieving Office 365 compliance with PCI DSS is not a one and done procedure. Your organization must maintain compliance on an ongoing basis. Even with security configurations in place, sensitive PCI data must be handled correctly in order to comply with PCI DSS. 

Where a dedicated data loss prevention solution is not in place, your employees must be trained on how to handle sensitive PCI data appropriately. Accidental data leaks or unauthorized access are common sources of data leaks.

As well as misconfigured permissions and inadequate user training, sensitive PCI data is often the target of external threats. To effectively shield PCI data from accidental leaks and malicious external threats, organizations can implement DLP solutions that identify and redact documents sensitive PCI data.

What are the New PCI 4.0 Requirements for PCI Data in Office 365?

PCI DSS 4.0 is a major step forward from the previous version 3.2.1.  PCI DSS 4.0 introduces a number of new requirements, designed to better protect cardholder data on cloud-based platforms such as Office 365. 

The key updates to be aware of include: 

1. No Unauthorized Copy/Relocation of PAN

New requirement 3.4.2 is intended to protect the Primary Account Number (PAN) from unauthorized copying or relocation across all platforms, including cloud-based services like Office 365.

This requirement stipulates that only authorized individuals with recorded approval and a valid business justification are permitted to copy or transfer PAN. 

This level of control is crucial in cloud settings like Office 365, where data is frequently more vulnerable to unauthorized access because of its widespread and remote distribution.

2. PAN Must Be Unreadable

Requirement 3.5.1.1 requires making PAN unreadable when stored, applicable to databases, files, and logs housed on platforms such as Office 365.

This requirement aims to enhance data security through the use of cryptographic hashes of the full PAN, ensuring that account numbers are encrypted and indecipherable. 

This measure secures PAN against unauthorized access and breaches, particularly when stored in a cloud-based environment such as Office 365.

3. Incident Response for PAN Data Leaks

Requirement 12.10.7 is designed to encourage active incident response procedures whereby immediate notification is initiated on the detection of PAN in any unauthorized location.

The objective here is to quickly address potential sources of data breaches by identifying PAN, so that action can be taken to relocate the sensitive PCI data to a secure location.

This requirement underlines the need for continuous monitoring and prompt response capabilities and incident management strategies within Office 365.

4. Protecting Payment Information in Office 365

In the interests of mitigating leaks of sensitive customer information, organizations are advised against storing cardholder data unless there is a specific need to do so.

Suggestions for protecting PCI data include:

• Endpoint devices such as payment card terminals should not retain card data.
• Where PAN or payment card information is printed, such as on receipts, it should be truncated or masked to safeguard the cardholder's information.
• Servers and storage devices should be kept locked with access-controls in place at all times.
• Comprehensive access controls must be enforced to reduce the risk of unauthorized access of any stored PCI data.

Collectively, these practices can address digital and physical security concerns and safeguard sensitive cardholder information stored in cloud-based applications such as Office 365.

To maintain compliance with PCI DSS 4.0, organizations using Office 365 must evaluate and update their existing configurations and operational procedures. This involves regular assessments on your use of Office 365 to ensure ongoing alignment with the requirements of PCI DSS 4.0, especially focusing on encryption and access controls.

How Can Strac Enhance Data Security on Office 365?

Strac is a comprehensive data loss prevention solution, offering robust features that safeguard sensitive information across Office 365 and other platforms. ‎

Here’s how Strac reinforces data security:

• Customizable Detection Capabilities: Strac supports detectors for sensitive data elements including PCI, HIPAA, GDPR, and more. It uniquely allows users to configure their own detectors, ensuring even sensitive data embedded in images or various document formats are securely managed. Explore Strac’s extensive catalog of sensitive data elements.
• Achieving Compliance with Ease: Strac’s DLP solution helps organizations achieve compliance with major standards like PCI, SOC 2, HIPAA, ISO-27001, CCPA, GDPR, and NIST, providing peace of mind and ease of management.

• Integration and Automation: Strac integrates seamlessly in under 10 minutes, offering immediate data protection such as live scanning and redaction in SaaS applications. This high level of integration and automation facilitates efficient and immediate protection of sensitive data. Check the available Strac integrations.
• Advanced Accuracy in Detection and Redaction: Utilizing custom machine learning models, Strac ensures highly accurate detection of sensitive data, minimizing both false positives and false negatives, thus enhancing operational reliability. Learn more about Strac's Office 365 DLP solution.
• Support for Developers: Strac offers API access, allowing developers to create custom data detection and redaction solutions. Developers can find more resources in Strac’s Developer Documentation.

Strac’s DLP solutions extend beyond traditional data protection measures, ensuring continuous compliance and security in an increasingly complex digital landscape.

Learn more about the Strac Office 365 integration. Book a free 30-minute demo for a practical demonstration of Strac’s DLP solutions.