• Home
  • Blog
    • Business Partner Magazine Archive
  • Resources
  • About Us
    • Cookie Policy
    • Disclosure Policy
    • Privacy Policy
    • Terms of Website Use
  • Contacts

Business Partner Magazine

Tips and advice for entrepreneurs, start-ups and SMEs

  • News
  • Business Success
  • Marketing
  • Employees
  • Technology
  • Start-up
  • Productivity
  • Communication

PCI Log Management Requirements for CISO’s

September 25, 2018 by Ken Lynch

Click here to get this post in PDF

Too long to read? Enter your email to download this post as a PDF. We will also send you our best business tips every 2 weeks in our newsletter. You can unsubscribe anytime.

Enter your NameEnter your Email Address

PCI Log Management Requirements for CISO's - Credit cardsWhether you are in the healthcare, retail or hospitality industry, you need to protect your customer information if you collect payments. The Payment Card Industry Data Security Standard (PCI DSS) sets the standard for cardholder data (CD) and also enforces the standard with penalties.

What is the Payment Card Industry Data Security Standard (PCI DSS)

The (PCI SSC) Payment Card Industry Security Standards Council was created in the early 2000`s by the five major payment card companies: The Discover Financial Services, American Express, JCB International, MasterCard and visa. The aim of the organization was to create a series of information security standards that protected customers from identity theft and the card industry from paying for data breaches. PCI DSS established the best practices for protecting information and later became PCI DSS.

Who needs to be PCI DSS compliant?

Any company that accepts, transmits or stores cardholder data must maintain PCI DSS compliance irrespective of its size.

Penalties for noncompliance

PCI DSS is considered a standard and not a regulation. Card brands and acquiring banks fine non-compliant merchants from $5,000 to $100,000 per month for violation. These fines can be either crippling or devastating depending on the size of the organization and can result in business failure.

PCI DSS REQUIREMENT 10

In its most broad definition, requirement 10 states:

PCI DSS requirement 10: Monitor and track all access to the card-holder data and the network resource.

Logging mechanisms and the ability to track user activities helps to prevent, detect or minimize the impact of a data compromise. Presence of logs in all environments allow thorough tracking, alerting and analysis of any compromises that may result. The requirement 10 requires you to monitor the user access to your environment. Setting up user access controls and ensuring that these controls work helps to maintain a secure cardholder data environment (CDE).

Records necessary for requirement 10 compliance

PCI DSS sets out a clear list of sections, subsections and parts of the subsections, and also incorporates guidance to help understand effective control review. The following steps can help you to log data necessary to prove your compliance:

  1. Create a system or process linking user access to the system components accessed and make sure you can trace suspicious user activity to a specific user.
  2. Generate audit trails that prove the system administrator receives suspicious activity alerts
  3. Record all the individual access to the CDE to show that unauthorized user accounts have not accessed the systems.
  4. Collect records of activities conducted by the administrator that show potential misuse of the accounts and trace the issue to a specific action and individual.
  5. Have a way to identify changes, additions and deletions to audit logs
  6. Record invalid login attempts to trace password guesses.
  7. Maintain records that allow you to trace activities indicating manipulation of authentication controls by attempting to bypass them or impersonating a valid account.
  8. Document any pauses or restarts to your audit logging processes
  9. Maintain records to show that system-level objects have not been deleted or created by unauthorized accounts
  10. Maintain an event log that records the user identification, event type, success/ failure indication and the affected data for all systems.
  11. Synchronize clocks across systems to maintain exact sequences of events for forensic teams
  12. Use the principle of least privilege for audit log access to maintain the security of information
  13. Backup logs to a centralized server or media that maintains data integrity
  14. Write logs directly, offload or copy from external systems to a secure internal system
  15. Use file-integrity monitoring systems to ensure notification of audit log changes
  16. Conduct regular log reviews by using log harvesting, parsing and alerting tool
  17. Conduct a daily review of security for alerts indicating suspicious activities
  18. Periodically review system components that indicate an attempt to gain access to sensitive systems
  19. Document investigations of expectations and anomalies
  20. Retain records for at least a year
  21. Train employees and make sure they are aware of security policies and monitoring

The service providers are subjected to the following additional requirements:

  1. Establish formal procedures to detect and alert critical security control failures like firewall erasing rules
  2. Document evidence supporting the response to a security failure, including processes and procedures as well as the actions and responses.

By storing all your information in one location, you are able to manage audit information and also document your compliance activities. This also enables your audit logging staff to communicate with one another and this is even more secure when only people who need access can interact with the information.

Tracing of outstanding tasks without emails makes communication easier and also protects the data by keeping it within protected platforms rather than insecure emails.

You may also like: Audit Log Best Practices For Information Security

Author Bio

Ken Lynch - Reciprocity LabsKen Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT. Learn more at ReciprocityLabs.com.

Filed Under: Featured Posts, Security Tagged With: compliance, Data, IT, PCI, security

Trackbacks

  1. How to Keep Your Customer Data for Your Email Campaign - Business Partner Magazine says:
    January 16, 2020 at 10:01 am

    […] Also read: PCI Log Management Requirements for CISO’s […]

  • Facebook
  • Instagram
  • LinkedIn
  • Pinterest
  • Twitter
  • YouTube

Disclosure

We earn commissions if you shop through the links on this page.

Recent Posts

  • Enhanced Infrastructure, Connectivity, and Amenities Boost Property Values at Skye at Holland Condo URA Master Plan’s Impact
  • Huma Announces Partnership with Eckuity Capital to Accelerate M&A and Acquires Aluna
  • Hedra raises $32M to build the leading generative media platform for digital characters
  • How Pablo Gerboles Is Future-Proofing Business Operations
  • Stackpack Raises $6.3M to Solve the $475B Vendor Chaos Problem

Categories

Archives

Tags

Accounting bitcoin brand business growth business skills business success communication cryptocurrency Customer Service Data design Digital marketing ecommerce Efficiency employees Featured Article finance finances Health and Safety infographic insurance Investing investment legal legal services legal tips Management Marketing marketing strategy Outsourcing productivity property Real estate sales security SEO Social Media software starting a business startup Technology Trading Training website workplace

Innovation in Business MarTech Awards – Best SME Business Support Platform 2024 – UK

Innovation in Business MarTech Awards 2024 UK

CorporateLivewire: Innovation & Excellence Awards – Business Publication of the Year

CorporateLivewire: Innovation & Excellence Awards - Business Publication of the Year

Disclosure

We earn commissions if you shop through the links on this page.

Digital Marketing Agency

ReachMore Banner

Business Partner Magazine

Business Partner Magazine provides business tips for small business owners (SME). We are your business partner helping you on your road to business success.

Have a look around the site to discover a wealth of business-focused content.

Here’s to your business success!

Copyright © 2025 - Business Partner Magazine·

x