News Ticker

Is Microsoft Dynamics CRM 2011 PCI Compliant?

PCI DSSBefore we answer this question, let us first find out what does PCI Compliance mean. PCI stands for Payment Card Industry and PCI has laid down a proprietary information security standard to handle cardholder information for major credit, debit, prepaid, e-purse, ATM and POS cards. This standard is known as PCI DSS or PCI Data Security Standard. The PCI DSS was created jointly in 2004 by four major credit-card companies: Visa, MasterCard, Discover and American Express.

Payment Card Industry Security Standards Council (PCI SSC) has defined the standards and the compliance can only be validated by an external Qualified Security Assessor (QSA). This standard enforces measures to reduce credit card fraud.

The current version of PCI DSS is 2.0 which was released on 26 Oct 2010.  The PCI DSS specifies and enforces a set of security standards to protect information during a financial transaction. The main six objectives of PCI DSS are:

Objectives PCI DSS Requirements
Build and Maintain a Secure Network
Install and maintain a firewall configuration to protect cardholder data
Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Protect stored cardholder data
Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Use and regularly update anti-virus software on all systems commonly affected by malware
Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Restrict access to cardholder data by business need-to-know
Assign a unique ID to each person with computer access
Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Track and monitor all access to network resources and cardholder data
Regularly test security systems and processes
Maintain an Information Security Policy
Maintain a policy that addresses information security

Dynamics CRM 2011 Online ordering, billing and payment systems which can handle credit card data are Level 1 PCI DSS compliant. As per Microsoft’s Dynamics CRM Online Security and Service Continuity Guide, “Microsoft Dynamics CRM Online has satisfactorily met the Payment Card Industry Data Security Standard (PCI DSS) version 1.2.

However, “The Microsoft Dynamics CRM Online service is not suitable for processing, transmitting, or storing PCI-governed data. PCI-DSS is an industry standard designed to protect and maintain sensitive data during transmission and storage throughout the data life cycle. At a minimum, organizations that support transactions via credit and debit cards are required to have a degree of compliance to the PCI standard.

There is confusion in the marketplace around the impact of PCI DSS; many customers state that all data within their organizations requires PCI certification and compliance, and that the online service must also demonstrate compliance. While Microsoft does need to be compliant for the Primary Account Number (PAN) data it processes, and it is, customers should not use the Microsoft Dynamics CRM Online service to transmit or store PAN data for their own use.

PCI compliance will only apply if Primary Account Number (PAN) is transmitted or stored within the online environment. To be compliant, the PAN data must be encrypted during transmission and storage. In addition, reporting must demonstrate that this encryption has successfully protected the PAN data. As a result, the service is not a suitable storage medium for PAN data, and companies should apply customer-side policies to prevent the transmission of PAN data to the online environment. To integrate transaction information, customers may choose to use a PCI validated payment gateway service, which stores and processes the PAN data.”

About Dipankar Bhattacharya (59 Articles)
A multi-skilled Dynamics 365 Professional with strong experience in delivering IT projects especially across multiple industries. A Microsoft technology evangelist, a regular speaker at tech events, blogger and avid reader. Certified IT Architect and well versed in Solution Architecture of Business Applications using Microsoft platforms like Dynamics 365, Azure and Office 365.

1 Comment on Is Microsoft Dynamics CRM 2011 PCI Compliant?

  1. An older but interesting article. MS states that their online solution is not PCI compliant, however we have used CRM with some encryption to store PCI compliant data and passed a security check for PCI for a hosted IFD solution. We could not find anything to contradict this in MS literature. After all it is just data in SQL at the end of the day.
    Contact us if you are reading this and want to know more.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: