Is ZFS Encryption PCI-DSS Compliant ?
By Darren Moffat-Oracle on Jan 28, 2016
Is ZFS Encryption PCI-DSS Compliant ? No it isn't, and I'll explain why.
PCI-DSS applies to a given merchant or financial institution it does not evaluate or validate products. This is very different to Common Criteria (CC) or FIPS 140.
One of the many requirements of PCI-DSS is that certain types of data (credit card numbers and card holder data) are encrypted on persistent storage and in transit. There are many ways to achieve that PCI-DSS requirement, ZFS encryption can be one of them using Oracle DB TDE is another.
There is a peer standard called PA-DSS (Payment Application Data Security Standard) but storage is not a payment application so again ZFS encryption doesn't apply here.
Even using a PCA-DSS compliant application does not imply you have PCI-DSS compliant deployment. The distinction is covered very well in this article on the PCI compliance guide website, I particularly like this quote:
"The bottom line is that only an organization can be validated to be PCI-DSS compliant, never an application or a system."
So we can't claim ZFS is PCI-DSS complaint but then no other storage or database vendor can make those claims either. What we can say is that ZFS encryption can be used as part of a PCI-DSS solution to encrypt card holder data at rest. We can also say that we know of cases where ZFS encryption has been used as part of meeting the PCI-DSS requirements and it has succefully passed an audit.
So the answer is "NO" ZFS encryption is NOT PCI-DSS compliance because that is an invalid question to ask.
In this case a useful question would be:
"Has ZFS Encryption been used as part of a PCI-DSS deployment for encrypting credit card numbers and/or card holder data ?" Then the answer is YES.