Office 365

Applies to: Office 365

Topic Last Modified: 2017-10-30

The information in this article applies to worldwide versions of Office 365. If you are using a national cloud instance of Office 365, including Office 365 U.S. Government, Office 365 Germany, and Office 365 operated by 21Vianet, see Microsoft National Clouds.
Availability of Partner features varies by region.

Microsoft Office 365 complies with industry standard regulations, and is designed to help you meet regulatory requirements for your business. For more information, see Regulatory Compliance.

For details on the following industry certifications, see Independently verified and Security, Audits, and Certifications.

  • SAS 70 / SSAE16 Assessments

  • ISO 27001 certified

  • EU Model Clauses

  • EU Safe Harbor

  • HIPAA-Business Associate Agreement

  • FISMA/FedRAMP Authority to Operate

  • Microsoft Data Processing Agreement

  • PCI DSS Level One

In addition, note the following:

  • Gramm-Leach-Bliley Act (GLB)   The GLB sets minimum security and privacy requirements for financial institutions in the United States. Software or services cannot claim to be “GLB compliant” because GLB compliance also requires procedures and policies. Two of the principal regulations under GLB that affect Office 365 services are:

    • Financial Privacy Rule   This rule governs the collection and disclosure of customers’ personal financial information by financial institutions.

    • Safeguards Rule   This rule requires all financial institutions to design, implement, and maintain safeguards to protect customer information, whether they collect such information themselves or receive it from other financial institutions.

  • Payment Card Industry Data Security Standard (PCI-DSS) Level One   Office 365 ordering, billing, and payment systems that handle credit card data are Level One Payment Card Industry (PCI) Compliant, and customers can use credit cards to pay for the services with confidence. An independent third party audits and determines whether the Microsoft Online Commerce Platform (OCP) which supports Office 365 has satisfactorily met the PCI-DSS version 1.2.

  • PCI-governed data   Office 365 services are not suitable for processing, transmitting, or storing PCI-governed data. PCI-DSS is an industry standard designed to protect and maintain sensitive data during transmission and storage throughout the data life cycle. At a minimum, organizations that support transactions through credit and debit cards are required to have a degree of compliance to the PCI standard.

    There is much confusion in the marketplace around the impact of PCI-DSS. Many customers state that all data within their organizations requires PCI certification and compliance, and the Microsoft Online Services must also demonstrate compliance. While it is true that Microsoft Online Services needs to be compliant for the Primary Account Number (PAN) data it processes, and it is, customers should not use the Office 365 service to transmit or store PAN data for their own use.

    PCI compliance will only apply if Primary Account Number (PAN) is transmitted or stored within the online environment. To be compliant, the PAN data must be encrypted during transmission and storage. In addition, reporting must demonstrate that this encryption has successfully protected the PAN data. As a result, the service is not a suitable storage medium for unencrypted PAN data, and companies should apply customer-side policies to prevent transmission of unencrypted PAN data to the online environment. Customers should determine for themselves if they have sufficient customer-side policies and controls on premises and within the service to enforce encryption of PAN data and provide sufficient reporting.

To view feature availability across Office 365 plans, see Office 365 Platform Service Description.

Comments or questions about this topic? Send your feedback to Office 365 Service Description Feedback. Need help with Office 365? Visit the Microsoft support center. Want to chat with a customer service representative? Go to the Select a plan page and click Chat now in the red banner at the top.