Cybersecurity Insights

Benjamin Hosack

Logging for PCI DSS

23/03/15 09:27

PCI DSS requirement 10 specifies that organisations must track and monitor all access to network resources and cardholder data. In this blog I seek to outline and explain PCI DSS requirement 10.

Organisations must ensure that logging is enabled for all system components which means for all network devices, servers, end-points and application within the PCI DSS scope. Logging must include all access to system components and is linked to individual user accounts. Further, logs must be retained for at least one year with three months immediately available for analysis.

Each audit trail (or log) must at least record the following informational items as outlined in Figure 1 below. For all system components and for each event the log entry must include at least the below list.

audit_trail_log

Figure 1 – Minimum information to be logged in each log entry.

Including logging the minimum informational items for each log, the logging process should allow for the following events to be reconstructed as outlined in Figure 2 below.

audit_trail_events

Figure 2 – Events to be reconstructed from logs

There must be procedures in place to ensure that logs are reviewed periodically and security events identified and investigated appropriately. The following must be reviewed daily:

  •         All security events
  •         Logs for all systems that store, process or transmit CHD and systems that could impact security of CHD
  •         Logs of all critical systems
  •         Logs of all security servers and systems, e.g. firewalls, IDS/IPS, Authentication Servers, E-Commerce redirection servers, etc.

Logs for all other systems must be reviewed periodically based on the annual risk assessment and the organisation’s policies. The procedures must include steps to ensure that all exceptions and anomalies identified during the review process are followed up. These procedures must be documented, in use and known to all affected personnel in the organisation.

Requirement 10 also specifies that critical systems must have correct and consistent time which includes log servers. Time data must be protected to prohibit unauthorised access to time data and unauthorised medication of time settings. This requirement also specifies that time settings are received from industry-accepted time sources.

Having outlined the above, consideration must also be given to ensure all logs are secured so that they cannot be altered. Logs must only be accessed on a need to know basis and protected from unauthorised modifications. All logs must be backed-up to a centralised log server promptly. Logs from external-facing systems must be secured onto a centralised internal log server. Finally, the organisation need to use file integrity monitoring (FIM) to monitor changes to logs.

If you'd like any further help regarding PCI DSS requirements, please contact us using the form below.

Tags: Web Security

TRENDING POSTS

David Kirkpatrick
Penetration Testing: The Quest For Fully UnDetectable Malware

Malware continues to be one of the main attack vectors used by criminals to compromise user and ...

Read More