Compliance in Microsoft Cloud for Retail

Microsoft Azure, Microsoft Dynamics 365, Microsoft 365, and Microsoft Power Platform services and its underlying infrastructure employ a security framework that encompasses industry best practices and spans multiple standards. These standards include the ISO 27000 family of standards, among others. As part of our comprehensive compliance offering, Microsoft regularly undergoes independent audits performed by qualified partner accredited assessors.

To use Microsoft Cloud for Retail, you need to agree to the Online Service Terms and the Microsoft Privacy Statement as the qualifying license terms for Microsoft 365/Office 365, Dynamics 365, Microsoft Power Platform, and Azure.

The following table lists the products available with Microsoft Cloud for Retail and their compliance offerings:

Product Family Product ISO 27001 ISO 27017 ISO 27018 ISO 22301 SOC2 Type 2 PCI DSS Level 1 GDPR
Dynamics 365 Marketing
Dynamics 365 Customer Service
Dynamics 365 Customer Insights
Dynamics 365 Commerce
Dynamics 365 Connected Store -
Dynamics 365 Fraud Protection - - - -
Dynamics 365 Intelligent Order Management -
Dynamics 365 Intelligent Recommendations - - - - - -
Dynamics 365 Supply Chain Insights - - - - - - -
Dynamics 365 Supply Chain Management
Dynamics 365 Chat for Dynamics
Microsoft 365 Microsoft Teams - - - - - -
Microsoft 365 Viva Connections - - - - - - -
Microsoft 365 Viva Insights - - - - - - -
Microsoft 365 Viva Learning - - - - - - -
Microsoft Azure Azure Search
Microsoft Azure Azure Synapse Analytics
Microsoft Clarity - - - - -
Power Virtual Agents
PromoteIQ - - - - - -

Legend: ✅ = available

You can find more details about these offerings on our compliance page.

Elevated access

Microsoft internal policy allows Microsoft employees who have the appropriate security group membership to request temporary just-in-time elevated access so that they can perform servicing and support activities on production systems. The internal ticketing system tracks and reviews every just-in-time access request.

Disclaimer

It's important to understand that PCI DSS compliance status for Microsoft Cloud for Retail solutions doesn't automatically translate to PCI DSS certification for the services that customers build or host on these platforms. Additionally, Microsoft Cloud for Retail doesn't offer payment card processing as a service and thus doesn't use an acquirer. Customers are responsible for ensuring that they achieve compliance with PCI DSS requirements.

You can find the regulatory compliance standards that apply to certain features offered through the Microsoft Retail Add-On on the compliance dashboard. You can also visit our Trust Center to learn more about Microsoft’s commitments to data protection and privacy.

Resources