Everybody has heard the stories and wants to believe - but there's no such thing as "PCI Compliant" products*.
People are constantly asking the question: Is "Product X" PCI compliant? The short answer is: No.
The long answer requires some careful explanation.
PCI sets forth 12 major requirements for an organization to meet, with the result of meeting these requirements culminating in an attestation of compliance. The PCI auditor verifies that the intent of PCI has been met, and compliance is granted. (OK, I know I just oversimplified a very complex set of processes - but the result is the same: the organization is deemed compliant or not)
But, what about the products that are used to support organizational PCI compliance? Network firewalls, antivirus, IDS/IPS, and application firewalls are listed in the PCI specification as core products whose functionality is required to obtain PCI compliance. Don't these products have to be certified as compliant? No, there is no provision for product compliance in the PCI DSS v1.1 specification.
So, given that PCI doesn't directly certify products, what should an organization do to provide audit assurance that products can be used for the intended PCI purpose?
- Verify vendor claims - just because a salesperson says it, it doesn't make the statement true.
- Rely on trusted third-parties - organizations like ICSA Labs, NSS Labs, WASC and OWASP have detailed product capability matrixes, testing and certification criteria, and comparative data.
- Discuss concerns with your auditors - because PCI auditors make the final decision on compliance, they should be involved in key decisions leading up to the certification event.
There have been some wild claims with PCI - including the notion of "PCI certified products." When faced with conflicting information, work with trusted vendors and partners, press your auditor or PCI QSA for the documented facts, and escalate ambiguity as necessary through to the PCI Security Standards Council.
With factual information and proper actions, we can all help PCI reach its lofty goal: Increase trust in credit card usage by holding merchants to a high standard - the PCI DSS.
PCI Backgrounder
PCI DSS, the Payment Card Industry Data Security Standard (or simply PCI) specifies compliance standards for credit card usage. If your organization stores, processes, or transmits credit card data, PCI applies to you. The PCI Security Standards Council maintains and publishes the standard at www.pcisecuritystandards.org.
*Note: There is a "Listing of PCI Security Standards Council Approved PIN Entry Devices" at: https://www.pcisecuritystandards.org/pin/pedapprovallist.html_. The PED's are the only products to have PCI SSC approval._
Kurt has done a great job addressing this, and I agree with his points thoroughly. So, since he mentioned us so kindly, I thought I'd offer some support and clarification.
I've written before in the NSS Labs blog, there's no such thing as a PCI compliant product. No product will make you compliant, but having the wrong product, or even the right product incorrectly configured could impede validation of compliance. From a terminology perspective, we prefer to say that products address or support compliance (to varying degrees).
That's right, there's no wholesale certification. Different aspects of a product support different requirements either completely, partially, or not at all. And in some cases, the requirements are not even directly applicable to a product. To get this "factual information" that Kurt is calling for, someone has to get their hands dirty with the details. This is what we are about at NSS Labs. Our reports only contain statements of a product's ability to support the specific individual requirements of the PCI DSS that we have empirically validated in the lab. Given that there is no official PCI certification for network/security products (other than PEDs), this is a pretty good start. Note: NSS Labs has been certifying network/security products against our openly published standards since the 1990's. Our new reports focus on the suitability of a product for use in merchant networks, using the PCI DSS as a reference.
In this manner, I believe we're helping security and compliance professionals get beyond broad marketing claims and make more informed buying and implementation decisions. (So far, we've released 2 public PCI Suitability reports and have a number of others in the queue.)
PS. Eventually I will have 'the talk' with my kids about Santa Claus, Unicorns and PCI compliance. But thankfully, no time soon.
Thanks Kurt!
Rick Moy, President, NSS Labs
www.NSSLabs.com