What are PCI Log Management Requirements for CISOs?

PinIt
Human hand holding plastic card in payment machine

Payments industry firms need to keep their log management needs in mind when building out new platforms or systems.

Whether you are in the healthcare, retail or hospitality industry, you need to protect your customer information if you collect payments. The Payment Card Industry Data Security Standard (PCI SSS) sets the standard for cardholder data (CD) and also enforces the standard with penalties.

What is the Payment Card Industry Data Security Standard (PCI DSS)?

The (PCI SSC) Payment Card Industry Security Standards Council was created in the early 2000s by the five major payment card companies: The Discover Financial Services, American Express, JCB International, MasterCard, and Visa. The aim of the organization was to create a series of information security standards that protected customers from identity theft and the card industry from paying for data breaches. PCI SSS established the best practices for protecting information and later became PCI DSS.

Who needs to be PCI DSS compliant? Any company that accepts, transmits or stores cardholder data must maintain PCI DSS compliance irrespective of its size.

Penalties for noncompliance

PCI DSS is considered a standard and not a regulation. Card brands and acquiring banks fine non-compliant merchants from $5,000 to $100,000 per month for violation. These fines can be either crippling or devastating depending on the size of the organization and can result in business failure.

In its most broad definition, PCI DSS requirement 10 states payment card firms must:

  • Monitor and track all access to the card-holder data and the network resource.
  • Logging mechanisms and the ability to track user activities should help to prevent, detect or minimize the impact of a data compromise.
  • Log management in all environments allow thorough tracking, alerting and analysis of any compromises that may result.
  • Monitor the user’s access to your environment.
  • Set up user access controls and ensuring that these controls work helps to maintain a secure cardholder data environment (CDE)

Records necessary for compliance

PCI DSS sets out a clear list of sections, subsections, and parts of the subsections, and also incorporates guidance to help understand effective control review. The following steps can help you to log data necessary to prove your compliance:

  • Create a system or process linking user access to the system components accessed and make sure you can trace suspicious user activity to a specific user.
  • Generate audit trails that prove the system administrator receives suspicious activity alerts
  • Record all the individual access to the CDE to show that unauthorized user accounts have not accessed the systems.
  • Collect records of activities conducted by the administrator that show potential misuse of the accounts and trace the issue to a specific action and individual.
  • Have a way to identify changes, additions, and deletions to audit logs
  • Record invalid login attempts to trace password guesses.
  • Maintain records that allow you to trace activities indicating manipulation of authentication controls by attempting to bypass them or impersonating a valid account.
  • Document any pauses or restarts to your audit logging processes
  • Maintain records to show that system-level objects have not been deleted or created by unauthorized accounts
  • Maintain an event log that records the user identification, event type, success/ failure indication and the affected data for all systems.
  • Synchronize clocks across systems to maintain exact sequences of events for forensic teams
  • Use the principle of least privilege for audit log access to maintain the security of information
  • Backup logs to a centralized server or media that maintains data integrity
  • Write logs directly, offload or copy from external systems to a secure internal system
  • Use file-integrity monitoring systems to ensure notification of audit log changes
  • Conduct regular log reviews by using log harvesting, parsing and alerting tool
  • Conduct a daily review of security for alerts indicating suspicious activities
  • Periodically review system components that indicate an attempt to gain access to sensitive systems
  • Document investigations of expectations and anomalies
  • Retain records for at least a year
  • Train employees and make sure they are aware of security policies and monitoring

Service providers are subjected to the following additional requirements:

  • Establish formal procedures to detect and alert critical security control failures like firewall erasing rules
  • Document evidence supporting the response to a security failure, including processes and procedures as well as the actions and responses.

By storing all your information in one location, you are able to manage audit information and also document your compliance activities. This also enables your audit logging staff to communicate with one another and this is even more secure when only people who need access can interact with the information.

Tracing of outstanding tasks without emails makes communication easier and also protects the data by keeping it within protected platforms rather than insecure emails.

Ken Lynch

About Ken Lynch

Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity's success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT. Learn more at ReciprocityLabs.com.

Leave a Reply