PCI Log Management Requirements for CISO’s

Click here to get this post in PDF

Whether you are in the healthcare, retail or hospitality industry, you need to protect your customer information if you collect payments. The Payment Card Industry Data Security Standard (PCI DSS) sets the standard for cardholder data (CD) and also enforces the standard with penalties.

What is the Payment Card Industry Data Security Standard (PCI DSS)

The (PCI SSC) Payment Card Industry Security Standards Council was created in the early 2000`s by the five major payment card companies: The Discover Financial Services, American Express, JCB International, MasterCard and visa. The aim of the organization was to create a series of information security standards that protected customers from identity theft and the card industry from paying for data breaches. PCI DSS established the best practices for protecting information and later became PCI DSS.

Who needs to be PCI DSS compliant?

Any company that accepts, transmits or stores cardholder data must maintain PCI DSS compliance irrespective of its size.

Penalties for noncompliance

PCI DSS is considered a standard and not a regulation. Card brands and acquiring banks fine non-compliant merchants from $5,000 to $100,000 per month for violation. These fines can be either crippling or devastating depending on the size of the organization and can result in business failure.

PCI DSS REQUIREMENT 10

In its most broad definition, requirement 10 states:

PCI DSS requirement 10: Monitor and track all access to the card-holder data and the network resource.

Logging mechanisms and the ability to track user activities helps to prevent, detect or minimize the impact of a data compromise. Presence of logs in all environments allow thorough tracking, alerting and analysis of any compromises that may result. The requirement 10 requires you to monitor the user access to your environment. Setting up user access controls and ensuring that these controls work helps to maintain a secure cardholder data environment (CDE).

Records necessary for requirement 10 compliance

PCI DSS sets out a clear list of sections, subsections and parts of the subsections, and also incorporates guidance to help understand effective control review. The following steps can help you to log data necessary to prove your compliance:

1. Create a system or process linking user access to the system components accessed and make sure you can trace suspicious user activity to a specific user.
2. Generate audit trails that prove the system administrator receives suspicious activity alerts
3. Record all the individual access to the CDE to show that unauthorized user accounts have not accessed the systems.
4. Collect records of activities conducted by the administrator that show potential misuse of the accounts and trace the issue to a specific action and individual.
5. Have a way to identify changes, additions and deletions to audit logs
6. Record invalid login attempts to trace password guesses.
7. Maintain records that allow you to trace activities indicating manipulation of authentication controls by attempting to bypass them or impersonating a valid account.
8. Document any pauses or restarts to your audit logging processes
9. Maintain records to show that system-level objects have not been deleted or created by unauthorized accounts
10. Maintain an event log that records the user identification, event type, success/ failure indication and the affected data for all systems.
11. Synchronize clocks across systems to maintain exact sequences of events for forensic teams
12. Use the principle of least privilege for audit log access to maintain the security of information
13. Backup logs to a centralized server or media that maintains data integrity
14. Write logs directly, offload or copy from external systems to a secure internal system
15. Use file-integrity monitoring systems to ensure notification of audit log changes
16. Conduct regular log reviews by using log harvesting, parsing and alerting tool
17. Conduct a daily review of security for alerts indicating suspicious activities
18. Periodically review system components that indicate an attempt to gain access to sensitive systems
19. Document investigations of expectations and anomalies
20. Retain records for at least a year
21. Train employees and make sure they are aware of security policies and monitoring

The service providers are subjected to the following additional requirements:

1. Establish formal procedures to detect and alert critical security control failures like firewall erasing rules
2. Document evidence supporting the response to a security failure, including processes and procedures as well as the actions and responses.

By storing all your information in one location, you are able to manage audit information and also document your compliance activities. This also enables your audit logging staff to communicate with one another and this is even more secure when only people who need access can interact with the information.

Tracing of outstanding tasks without emails makes communication easier and also protects the data by keeping it within protected platforms rather than insecure emails.

You may also like: Audit Log Best Practices For Information Security

Author Bio

Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT. Learn more at ReciprocityLabs.com.