Add PCI compliance FAQ and restructure compliance content

msmbaldwin · msmbaldwin · commit e4646f550d2e · 2026-03-31T17:56:00.000-07:00
diff --git a/articles/cloud-hsm/authentication.md b/articles/cloud-hsm/authentication.md
@@ -4,7 +4,7 @@ description: Learn about various authentication methods and best practices for s
 author: msmbaldwin
 ms.service: azure-cloud-hsm
 ms.topic: feature-guide
-ms.date: 03/20/2025
+ms.date: 03/31/2026
 ms.author: mbaldwin
 #customer intent: As a Cloud HSM administrator, I want to learn how to secure and optimize my Cloud HSM deployment so that I can ensure the highest level of security and performance.
 ---
@@ -13,6 +13,10 @@ ms.author: mbaldwin
 
 Authentication is a crucial aspect of securely accessing and operating within Azure Cloud HSM. This article outlines authentication methods, including command-line interface (CLI), PKCS#11, Java Cryptography Extension (JCE), and OpenSSL. This article also provides best practices for multithreading and session handling.
 
+## Supported authentication methods
+
+Azure Cloud HSM supports only password-based authentication. It doesn't support authentication through a PIN entry device (PED).
+
 ## Cloud HSM CLI authentication
 
 You can authenticate by using CLI tools like `azcloudhsm_util` in either interactive mode or single-command mode. In interactive mode, use the `loginHSM` command. For single-command mode, include `singlecmd` and parameters for `loginHSM`. We advise you to securely store your HSM credentials when your application isn't using them.
diff --git a/articles/cloud-hsm/faq.yml b/articles/cloud-hsm/faq.yml
@@ -5,7 +5,7 @@ metadata:
   author: msmbaldwin  
   ms.service: azure-cloud-hsm 
   ms.topic: faq  
-  ms.date: 03/20/2025 
+  ms.date: 03/31/2026 
   ms.author: mbaldwin  
 title: FAQ about Azure Cloud HSM
 summary: Find answers to common questions about Microsoft Azure Cloud HSM.  
@@ -27,7 +27,7 @@ sections:
       - question: |-  
           What hardware is used for Azure Cloud HSM?  
         answer: |-  
-          Azure Cloud HSM uses Marvell LiquidSecurity hardware security modules. For more information about service specifications, see [Azure Cloud HSM service limits](service-limits.md).
+          Azure Cloud HSM uses Marvell LiquidSecurity hardware security modules. For more information about hardware specifications and service limits, see [Azure Cloud HSM service limits](service-limits.md).
       - question: |-  
           What software is provided with Azure Cloud HSM?  
         answer: |-  
@@ -137,7 +137,7 @@ sections:
       - question: |-  
           Can I update the partition owner certificate after I upload it?  
         answer: |-  
-          No. You can't change the partition owner certificate after you upload it. If you upload `PO.crt` in error, you need to delete your Azure Cloud HSM resource and deploy again. 
+          No. For details about partition owner certificate management, see [User management in Azure Cloud HSM](user-management.md#protect-your-partition-owner-certificate). 
   
   - name: Business continuity
     questions:
@@ -185,17 +185,19 @@ sections:
       - question: |-  
           Does Azure Cloud HSM support FIPS 140-3 Level 3?  
         answer: |-  
-          Yes, Azure Cloud HSM offers HSMs that are validated to meet the FIPS 140-3 Level 3 standards. For procedures to verify the authenticity of your HSM, including checking the [FIPS 140-3 Level 3 certification from NIST](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4700), refer to the [onboarding guide](onboarding-guide.md). For more information about compliance, see [What is Azure Cloud HSM?](overview.md).
+          Yes. For details, see [Compliance and certification](overview.md#compliance-and-certification).
       - question: |-  
           Does Azure Cloud HSM support eIDAS? 
         answer: |-  
-          Yes. Azure Cloud HSM supports eIDAS compliance under the Austrian scheme by providing secure key management, cryptographic operations, and FIPS 140-3 Level 3 validated hardware to meet stringent requirements for qualified electronic signatures and seals, to help ensure regulatory compliance. Learn more in the [QSCD Certificate](https://www.a-sit.at/wp-content/uploads/2024/10/VIG-19-078-QSCD-Certificate-Final_sig-HL.pdf). For more information about security standards, see [Secure your Azure Cloud HSM deployment](secure-cloud-hsm.md).
+          Yes. For details, see [Compliance and certification](overview.md#compliance-and-certification).
+      - question: |-  
+          Does Azure Cloud HSM support PCI? 
+        answer: |-  
+          Yes. For details, see [Compliance and certification](overview.md#compliance-and-certification).
       - question: |-  
           What happens if someone tampers with the HSM hardware?  
         answer: |-  
-          Azure Cloud HSM incorporates both physical and logical tamper detection and response mechanisms that initiate key deletion (zeroization) of the hardware. These measures are designed to detect tampering if the physical barrier is compromised.
-          
-          Additionally, HSMs are safeguarded against brute-force sign-in attacks. The system locks out cryptography officers (COs) after a set number of unsuccessful access attempts. Similarly, repeated unsuccessful attempts to access an HSM with cryptography user (CU) credentials result in locking out the user. A CO must then unlock the CU. Unlocking a CO requires `getChallenge` and signing the challenge with `PO.key` via OpenSSL, followed by `unlockCO` and `changePswd` commands. For more information about security features, see [Secure your Azure Cloud HSM deployment](secure-cloud-hsm.md).
+          Azure Cloud HSM incorporates tamper detection and response mechanisms. For details, see [Physical security](overview.md#physical-security).
   
   - name: Support  
     questions:  
@@ -206,15 +208,15 @@ sections:
       - question: |-  
           How are the HSMs used in Azure Cloud HSM protected?
         answer: |-  
-          Azure datacenters have extensive physical and procedural security controls. Additionally, the HSMs in Azure Cloud HSM are hosted in a restricted access area of the datacenter, with physical access controls and video surveillance for added security. For more information about physical security, see [Secure your Azure Cloud HSM deployment](secure-cloud-hsm.md).
+          Azure datacenters have extensive physical and procedural security controls. For details, see [Physical security](overview.md#physical-security).
       - question: |-  
           Can Microsoft recover my keys if I lose the credentials to my HSM?
         answer: |-  
           No. Microsoft doesn't have access to your keys or credentials and can't recover your keys if you lose your credentials. For more information about credential management, see [User management in Azure Cloud HSM](user-management.md).
       - question: |-  
           Does Azure Cloud HSM have scheduled maintenance windows?
         answer: |-  
-          No, although Microsoft might need to perform maintenance for necessary upgrades or faulty hardware. We notify customers in advance if we anticipate any impact. For more information about operational considerations, see [Secure your Azure Cloud HSM deployment](secure-cloud-hsm.md).
+          No. For details, see [Service operations](overview.md#service-operations).
       - question: |-  
           What is the SLA for Azure Cloud HSM?  
         answer: |-  
diff --git a/articles/cloud-hsm/overview.md b/articles/cloud-hsm/overview.md
@@ -4,7 +4,7 @@ description: Learn how Azure Cloud HSM offers cryptographic key storage within t
 author: keithp
 ms.service: azure-cloud-hsm
 ms.topic: overview
-ms.date: 03/20/2025
+ms.date: 03/31/2026
 ms.author: keithp
 
 #customer intent: As an IT pro decision-maker, I'm looking for key storage capability within the Azure cloud platform that meets FIPS 140-3 Level 3 certification and that gives me exclusive access to a dedicated hardware security module.
@@ -42,9 +42,21 @@ The Azure Cloud HSM cluster supports load balancing of cryptographic operations.
 
 Each Azure Cloud HSM instance is dedicated to a single customer. Each HSM cluster uses a separate customer-specific security domain that cryptographically isolates it.
 
-### FIPS 140-3 Level 3 compliance
+## Compliance and certification
 
-Many organizations have stringent industry regulations that dictate that cryptographic keys must be stored in [FIPS 140-3 Level 3](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4700) validated HSMs. Azure Cloud HSM helps customers from various industry segments (financial services industry, government agencies, and others) meet these FIPS requirements.
+Azure Cloud HSM meets multiple industry compliance standards and certifications to help customers satisfy regulatory requirements.
+
+### FIPS 140-3 Level 3
+
+Many organizations have stringent industry regulations that dictate that cryptographic keys must be stored in FIPS 140-3 Level 3 validated HSMs. Azure Cloud HSM offers HSMs that are validated to meet FIPS 140-3 Level 3 standards. For procedures to verify the authenticity of your HSM, including checking the [FIPS 140-3 Level 3 certification from NIST](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4700), refer to the [onboarding guide](onboarding-guide.md). Azure Cloud HSM helps customers from various industry segments (financial services industry, government agencies, and others) meet these FIPS requirements.
+
+### eIDAS
+
+Azure Cloud HSM supports eIDAS compliance under the Austrian scheme by providing secure key management, cryptographic operations, and FIPS 140-3 Level 3 validated hardware to meet stringent requirements for qualified electronic signatures and seals to help ensure regulatory compliance. Learn more in the [QSCD Certificate](https://www.a-sit.at/wp-content/uploads/2024/10/VIG-19-078-QSCD-Certificate-Final_sig-HL.pdf).
+
+### PCI and PCI 3DS
+
+Azure Cloud HSM provides HSMs that are validated to meet PCI and PCI 3DS standards. For more details on PCI compliance certification for Azure Cloud HSM, refer to the [PCI 3DS Attestation of Compliance (AOC)](https://servicetrust.microsoft.com/DocumentPage/c88a84bd-bb48-4fe0-b93f-b4cfb7c20ba2) in Microsoft Service Trust Center.
 
 ## Azure Cloud HSM suitability
 
@@ -78,6 +90,18 @@ Azure Cloud HSM doesn't integrate with other platform as a service (PaaS) or sof
 
 Azure Cloud HSM is not a good fit for Microsoft cloud services that require support for encryption with customer-managed keys. These services include Azure Information Protection, Azure Disk Encryption, Azure Data Lake Storage, Azure Storage, and Microsoft Purview Customer Key. For those scenarios, customers should use [Azure Key Vault Managed HSM](../key-vault/managed-hsm/overview.md).
 
+## Physical security
+
+Azure datacenters have extensive physical and procedural security controls. The HSMs in Azure Cloud HSM are hosted in a restricted access area of the datacenter, with physical access controls and video surveillance for added security.
+
+Azure Cloud HSM incorporates both physical and logical tamper detection and response mechanisms that initiate key deletion (zeroization) of the hardware. These measures are designed to detect tampering if the physical barrier is compromised.
+
+HSMs are safeguarded against brute-force sign-in attacks. The system locks out cryptography officers (COs) after a set number of unsuccessful access attempts. Similarly, repeated unsuccessful attempts to access an HSM with cryptography user (CU) credentials result in locking out the user. A CO must then unlock the CU. Unlocking a CO requires the `getChallenge` command, signing the challenge with the partition owner key (`PO.key`) via OpenSSL, followed by the `unlockCO` and `changePswd` commands.
+
+## Service operations
+
+Azure Cloud HSM doesn't have scheduled maintenance windows. However, Microsoft might need to perform maintenance for necessary upgrades or faulty hardware replacement. Customers are notified in advance if any impact is anticipated.
+
 ## Next steps
 
 These resources are available to help you facilitate the provisioning and configuration of HSMs into your existing virtual network environment:
diff --git a/articles/cloud-hsm/secure-cloud-hsm.md b/articles/cloud-hsm/secure-cloud-hsm.md
@@ -26,6 +26,10 @@ Azure Cloud HSM is a single-tenant, FIPS 140-3 Level 3 validated service that gr
 
 - **Restrict access to the Partition Owner private key**: Limit access to the Partition Owner of the Application Partition (POTA) private key (`PO.key`). The Admin of the Application Partition (AOTA) and POTA private keys are equivalent to root access and can reset passwords for cryptography officer (CO) users in a partition (AOTA for partition 0, POTA for user partitions). `PO.key` is unnecessary for HSM access during runtime. It's required only for the initial signing of Partition Owner Authentication Certificate (POAC) and CO password resets. Store `PO.key` offline and perform the initial POAC signing on an offline machine, if possible. Customers are accountable for safeguarding their POTA private key — losing it results in the inability to recover CO passwords. Securely store the POTA private key and maintain suitable backups. See [User management in Azure Cloud HSM](user-management.md).
 
+## Compliance and certification
+
+Azure Cloud HSM meets multiple industry compliance standards and certifications, including FIPS 140-3 Level 3, eIDAS, and PCI/PCI 3DS. For details, see [Compliance and certification](overview.md#compliance-and-certification).
+
 ## Network security
 
 Properly configuring your network can help prevent unauthorized access and reduce exposure to external threats.
@@ -98,3 +102,11 @@ Azure Cloud HSM provides high availability through clustered HSMs that synchroni
 - [Enable just-in-time access to virtual machines](/azure/defender-for-cloud/just-in-time-access-overview)
 - [Adopt a Zero Trust approach](/azure/security/fundamentals/network-best-practices#adopt-a-zero-trust-approach)
 - [Zero Trust guidance center](/security/zero-trust/zero-trust-overview)
+
+## Physical security
+
+Azure Cloud HSM is hosted in secure datacenters with tamper detection mechanisms. For details, see [Physical security](overview.md#physical-security).
+
+## Service operations
+
+Azure Cloud HSM doesn't have scheduled maintenance windows, but Microsoft notifies customers in advance of any anticipated impact. For details, see [Service operations](overview.md#service-operations).
diff --git a/articles/cloud-hsm/service-limits.md b/articles/cloud-hsm/service-limits.md
@@ -5,14 +5,18 @@ author: keithp
 manager: davinune
 ms.service: azure-cloud-hsm
 ms.topic: reference
-ms.date: 03/20/2025
+ms.date: 03/31/2026
 ms.author: keithp
 ---
 
 # Azure Cloud HSM service limits
 
 This article describes service limits for the resource type `microsoft.hardwaresecuritymodules/cloudHsmClusters` in Azure Cloud HSM.
 
+## Hardware specifications
+
+Azure Cloud HSM uses Marvell LiquidSecurity hardware security modules. These HSMs are validated to meet FIPS 140-3 Level 3 standards. For more information about compliance certifications, see [Compliance and certification](overview.md#compliance-and-certification).
+
 ## Object limits
 
 The following table describes the limits for the number of objects that you can create in Azure Cloud HSM. The limits are per Cloud HSM instance. Key types are Rivest-Shamir-Adleman (RSA), elliptic curve (EC), and Advanced Encryption Standard (AES).
diff --git a/articles/cloud-hsm/user-management.md b/articles/cloud-hsm/user-management.md
@@ -4,7 +4,7 @@ description: Learn best practices for managing user identities, securing credent
 author: msmbaldwin
 ms.service: azure-cloud-hsm
 ms.topic: best-practice
-ms.date: 03/20/2025
+ms.date: 03/31/2026
 ms.author: mbaldwin
 
 #customer intent: As a security administrator, I need to manage user identities and permissions in Azure Cloud HSM so that I can ensure security and compliance.
@@ -41,6 +41,12 @@ Protecting your HSM user credentials is paramount, because these credentials gra
 
 Azure Cloud HSM does not retain access to your HSM user credentials. If you lose access to your credentials, Microsoft can't help.
 
+## Protect your partition owner certificate
+
+The partition owner certificate (`PO.crt`) is a critical component that you upload during HSM initialization. After you upload the partition owner certificate, you can't change it. If you upload an incorrect certificate, you must delete the Azure Cloud HSM resource and deploy again.
+
+Store the partition owner certificate and its corresponding private key (`PO.key`) securely. Keep the private key offline whenever possible, because it's required only for initial signing and cryptography officer (CO) password resets. For more information about the partition owner private key, see [Secure your Azure Cloud HSM deployment](secure-cloud-hsm.md).
+
 ## Ensure your HSM users are available on all nodes of your cluster
 
 When you create a user, the user is created on all three nodes of the Cloud HSM cluster if all nodes are available. However, unlike keys, Azure Cloud HSM service does not perform backend user synchronization. User management is fully customer managed.
