Everybody has heard the stories and wants to believe – but there’s no such thing as “PCI Compliant” products*.
People are constantly asking the question: Is “Product X” PCI compliant? The short answer is: No.
The long answer requires some careful explanation.
PCI sets forth 12 major requirements for an organization to meet, with the result of meeting these requirements culminating in an attestation of compliance. The PCI auditor verifies that the intent of PCI has been met, and compliance is granted. (OK, I know I just oversimplified a very complex set of processes – but the result is the same: the organization is deemed compliant or not)
But, what about the products that are used to support organizational PCI compliance? Network firewalls, antivirus, IDS/IPS, and application firewalls are listed in the PCI specification as core products whose functionality is required to obtain PCI compliance. Don’t these products have to be certified as compliant? No, there is no provision for product compliance in the PCI DSS v1.1 specification.
So, given that PCI doesn’t directly certify products, what should an organization do to provide audit assurance that products can be used for the intended PCI purpose?
- Verify vendor claims – just because a salesperson says it, it doesn’t make the statement true.
- Rely on trusted third-parties – organizations like ICSA Labs, NSS Labs, WASC and OWASP have detailed product capability matrixes, testing and certification criteria, and comparative data.
- Discuss concerns with your auditors – because PCI auditors make the final decision on compliance, they should be involved in key decisions leading up to the certification event.
There have been some wild claims with PCI – including the notion of “PCI certified products.” When faced with conflicting information, work with trusted vendors and partners, press your auditor or PCI QSA for the documented facts, and escalate ambiguity as necessary through to the PCI Security Standards Council.
With factual information and proper actions, we can all help PCI reach its lofty goal: Increase trust in credit card usage by holding merchants to a high standard – the PCI DSS.
PCI DSS, the Payment Card Industry Data Security Standard (or simply PCI) specifies compliance standards for credit card usage. If your organization stores, processes, or transmits credit card data, PCI applies to you. The PCI Security Standards Council maintains and publishes the standard at www.pcisecuritystandards.org.
*Note: There is a “Listing of PCI Security Standards Council Approved PIN Entry Devices” at: https://www.pcisecuritystandards.org/pin/pedapprovallist.html_. The PED’s are the only products to have PCI SSC approval._