Any firm whose line of service involves collecting payments needs to have systems in place to safeguard customer’s information, whether in the healthcare, food, retail, hospitality or any other industry. This is because the transmission of payment data is very sensitive. In addition to setting the industry standards for cardholder data (CD), the Payment Card Industry Data Security Standard or PCI-DSS also enforces these standards with penalties against violation.
PCI-DSS Logging & Log Monitoring Requirements
What Exactly Does PCI-DSS Entail?
Back in the early 2000s, the five global leaders in payment card transactions: American Express, MasterCard, Discover Financial Services, Visa Inc. and JCB International met to launch the Payment Card Industry-Security Standards Council or PCI-SSC. The council came up with information security standards for payment processing with two goals in mind:
- protecting customers from unauthorized identity theft, and
- helping the card industry avoid paying for avoidable data breaches.
From the deliberations of the PCI-SSC, what we know today as the card industry’s “best practices” for guarding customer payment data and information were soon standardized into PCI-DSS.
Penalties for PCI-DSS Noncompliance
Although PCI-DSS is designated as only an “industry standard” rather than a regulation, complying with it is far from optional. Non-Compliance can be a significant undoing to your business as a merchant. Card firms and acquiring banks may fine between $5,000 and $100,000 monthly for non-compliance. Such fines can be a death sentence to SMEs.
Is PCI-DSS Compliance, then, Compulsory?
Yes, it is! Regardless of your firm’s size or the industry you’re in, if you accept, transmit, or store cardholder data, then PCI-DSS compliance is a must.
PCI-DSS Requirement 10: What is it?
This requirement concerns the monitoring of access to both networks and data. It states: Track and monitor all access to network resources and cardholder data.
Apart from logging mechanisms, the capacity to track and monitor user actions is crucial in the detection, reduction of the impact or outright prevention of data breaches. With system activity logs, it’s easier to track, analyze, and determine the source of a breach to alert the concerned authorities for action.
With 39 sub-parts that spell out its demands, Requirement 10 stresses that you continuously monitor user access to and activities in your environment. User access controls enable you to ensure a secure cardholder data environment (CDE). Further, with PCI-DSS being a highly-prescriptive set of standards, it sets out an elaborative list of the steps, processes, and documents necessary to meet its requirements.
Requirement 10 Compliance: What Records are Needed?
To help you ensure that you’ve complied with its requirements fully, PCI-DSS has many inbuilt mechanisms. Aside from listing sections, sub-sections, and parts of sub-sections, the standard also includes a Guidance section to help its users appreciate effective control review. Below is a compilation of steps that can help you to log data essential to ascertain if you’re compliant or not:
- Design a system/process connecting user access to the sections of the system gained access to and be confident that you can track any suspicious activity to its source.
- Create audit trails that demonstrate how the system admin can get notified of any suspicious activity and respond accordingly.
- Take record of all individual access entries to the CDE to prove that no unauthorized users have gotten access to the systems, networks, and data.
- Make sure you record all activities conducted by “admin/root” accounts that clearly show any possible misuse of privileges and trace the violation to its specific source.
- Uphold the file integrity of audit logs by implementing a method to identify any changes, additions, or deletions to them.
- Take records of invalid/illegal login attempts to trace password guesses and brute-force hacking attacks.
- A document that enables you to trace any manipulation of authentication activities that attempt to bypass controls.
- Record any pauses/restarts to your system’s audit logging processes.
- Keep records to demonstrate that system-level objects like databases or stored procedures haven’t been created/deleted via unauthorized user accounts.
- Create an event log to record user IDs, event types, timestamps, success/failure indicators, event origination, affected data, system component affected and resource identity/name.
- Synchronize clocks across system components to keep tabs of exact event sequences for forensics teams.
- Make use of “principle of least privilege” in audit log access to ensure integrity and security of information.
- Backup logs to centralized server/media that guarantees data integrity.
- Write logs directly or offload/copy from external sources to a secure internal system.
- Incorporate file-integrity monitoring and change-detection mechanisms to detect audit log changes in case of date breeches.
- Regularly review logs, either manually or via log harvesting, parsing, and alerting tools.
- Review security controls daily for alerts on critical system component logs, e.g. any suspicious activity.
- Schedule regular reviews for all system components that reveal potential issues or unauthorized access attempts to sensitive systems via less sensitive systems.
- Keep tabs of investigations of exceptions/anomalies.
- Maintain all records for a minimum of one year.
- Make sure employees are aware of security policies and their monitoring.
Additional Requirements for Service Providers
- Implement formal procedures to detect/alert critical security control failures, e.g. firewall expunging rules or going offline.
- Maintain evidence on the response to security failures, including the procedure involved and responsible.