Here is the link to the PCI solution Design guide. It lists Products and what PCI requirements they address as well as how to configure them.
I just had this dropped in my lap last week and told we have to be PCI compliant before January 1st. Do you think that is feasible? I'm not a security expert but I am the Infrastructure guy.
If you are talking about Jan 1, 2008 and your company is just now starting,it does not sound feasible to me.
Of course, it depends on many factors, like the size of your company, your existing policy and the existing configurations of your infrastructure.
But, based on your note, I would say your company has identified a red flag.
I think one of the first things you need to do is download the PCI Self Assessment and PCI DSS. then, depending on what policies, processes, procedures, documentation you have, make a decision as to whether you want to set out alone remediating. If your company is big and you have a long ways to go, I would suggest getting a partner to assist in remediation. We decided to do the remediation ourselves but we contracted with a company to give us a roadmap.
As far as the actual security products needed, there is nothing specifically named. It is more of a set of guidelines for minimum functionality. basically, if you go through the DSS, you can start to carve out what products will work for you in each area. I think that process took us longer than anything.
You really need a good assesment/audit from a 3rd party organization that is PCI certified. Like Fishnet or ISS and I'm sure there are others as well.
You will not be ready by Jan 1 of 2008..not even close. Your first step is to find out what you need to remediate and this is best done by a PCI audit.
ISS actually did our audit and helped write a document stating what failed and how we will resolve this issues. We were also granted time to get into compliance.