Is ZFS Encryption PCI-DSS Compliant ?

Is ZFS Encryption PCI-DSS Compliant ? No it isn't, and I'll explain why.

PCI-DSS applies to a given merchant or financial institution it does not evaluate or validate products. This is very different to Common Criteria (CC) or FIPS 140.

One of the many requirements of PCI-DSS is that certain types of data (credit card numbers and card holder data) are encrypted on persistent storage and in transit. There are many ways to achieve that PCI-DSS requirement, ZFS encryption can be one of them using Oracle DB TDE is another.

There is a peer standard called PA-DSS (Payment Application Data Security Standard) but storage is not a payment application so again ZFS encryption doesn't apply here.

Even using a PCA-DSS compliant application does not imply you have PCI-DSS compliant deployment. The distinction is covered very well in this article on the PCI compliance guide website, I particularly like this quote: 

"The bottom line is that only an organization can be validated to be PCI-DSS compliant, never an application or a system."

So we can't claim ZFS is PCI-DSS complaint but then no other storage or database vendor can make those claims either. What we can say is that ZFS encryption can be used as part of a PCI-DSS solution to encrypt card holder data at rest. We can also say that we know of cases where ZFS encryption has been used as part of meeting the PCI-DSS requirements and it has succefully passed an audit.

So the answer is "NO" ZFS encryption is NOT PCI-DSS compliance because that is an invalid question to ask.

In this case a useful question would be:

"Has ZFS Encryption been used as part of a PCI-DSS deployment for encrypting credit card numbers and/or card holder data ?" Then the answer is YES.

Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

Darren Moffat-Oracle

Search


Categories
Archives
« April 2017
MonTueWedThuFriSatSun
     
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
       
Today