News, tips, partners, and perspectives for the Oracle Solaris operating system

Is ZFS Encryption PCI-DSS Compliant ?

Darren Moffat
Senior Software Architect

Is ZFS Encryption PCI-DSS Compliant ? No it isn't, and I'll explain why.

PCI-DSS applies to a given merchant or financial institution it does not evaluate or validate products. This is very different to Common Criteria (CC) or FIPS 140.

One of the many requirements of PCI-DSS is that certain types of data (credit card numbers and card holder data) are encrypted on persistent storage and in transit. There are many ways to achieve that PCI-DSS requirement, ZFS encryption can be one of them using Oracle DB TDE is another.

There is a peer standard called PA-DSS (Payment Application Data Security Standard) but storage is not a payment application so again ZFS encryption doesn't apply here.

Even using a PCA-DSS compliant application does not imply you have PCI-DSS compliant deployment. The distinction is covered very well in this article on the PCI compliance guide website, I particularly like this quote: 

"The bottom line is that only an organization can be validated to be PCI-DSS compliant, never an application or a system."

So we can't claim ZFS is PCI-DSS complaint but then no other storage or database vendor can make those claims either. What we can say is that ZFS encryption can be used as part of a PCI-DSS solution to encrypt card holder data at rest. We can also say that we know of cases where ZFS encryption has been used as part of meeting the PCI-DSS requirements and it has succefully passed an audit.

So the answer is "NO" ZFS encryption is NOT PCI-DSS compliance because that is an invalid question to ask.

In this case a useful question would be:

"Has ZFS Encryption been used as part of a PCI-DSS deployment for encrypting credit card numbers and/or card holder data ?"
the answer is YES.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.