May 17, 2008

PCI Compliant Products

Kurt Roemer, CTO at Citrix recently discussed PCI Compliant Products on his blog, and I agree with his points thoroughly. So, since he mentioned us so kindly, I thought I'd offer some support and clarification.

I've written before in the NSS Labs blog , there's no such thing as a PCI compliant product . No product will make you compliant, but having the wrong product, or even the right product incorrectly configured could impede validation of compliance. From a terminology perspective, we prefer to say that products address or support compliance (to varying degrees).

That's right, there's no wholesale certification. Different aspects of a product support different requirements either completely, partially, or not at all. And in some cases, the requirements are not even directly applicable to a product. To get this "factual information" that Kurt is calling for, someone has to get their hands dirty with the details. This is what we are about at NSS Labs. Our reports only contain statements of a product's ability to support the specific individual requirements of the PCI DSS that we have empirically validated in the lab. Given that there is no official PCI certification for network/security products (other than PEDs), this is a pretty good start. Note: NSS Labs has been certifying network/security productsagainst our openly published standards since the 1990's. Our new reports focus on the suitability of a product for use in merchant networks, using the PCI DSS as a reference.

In this manner, I believe we're helping security and compliance professionals get beyond broad marketing claims and make more informed buying and implementation decisions. (So far, we've released 2 public PCI Suitability reports  and have a number of others in the queue.)

PS. Eventually I will have 'the talk' with my kids about Santa Claus, Unicorns and PCI compliance. But thankfully, no time soon. ;-)

Thanks Kurt!