Amongst the many requirements of the Payment Card Industry Data Security Standard (PCI DSS) is the need for organisations to monitor access to network resources and cardholder data.
Log management and monitoring forms a crucial part of this requirement, helping organisations to identify suspicious network activity as early as possible. Building the necessary capabilities to collect, manage and monitor logs can be a challenge, and this blog seeks to clarify PCI DSS log management and monitoring requirements, and provide guidance on how they can be met.
PCI DSS Requirement 10: Track and monitor all access to network resources and cardholder data
“Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimising the impact of a data compromise. The presence of logs in all environments allows thorough tracking, alerting, and analysis when something does go wrong. Determining the cause of a compromise is very difficult, if not impossible, without system activity logs.”
The sub-requirements of Requirement 10 are:
10.1 – Implement audit trails to link all access to system components to each individual user
A system is required that is capable of recording user access to network resources and data so that suspicious activities can be traced back to specific individuals.
PCI DSS security requirements apply to all system components included in or connected to the cardholder data environment (CDE). This typically includes network and computing devices, servers, and applications.
10.2 – Implement automated audit trails
This requires organisations to implement an automated audit trail to alert system administrators to certain user activities. This could involve passing data on to specialist security systems (like an intrusion detection system) that raises alerts.
Events that need to be logged include user access to cardholder data, all admin account activity, access to and modification of audit trails, invalid login attempts, authentication changes, as well as the creation and deletion of system-level objects such as database tables.
10.3 – Record specific audit trail entries for all system components
For each of the events identified in 10.2, audit trail entries for all system components must be recorded. Audit trail entries must include the type of event, date and time, success or failure, origination and identity of user and affected data. This helps to provide the context around events – the who, what, when, where and how.
10.4 – Use time-synchronisation technology across all critical systems
Without clocks being synchronised across multiple systems, it can be almost impossible to compare logs and establish a sequence of events. Time synchronisation technology, such as Network Time Protocol (NTP), is therefore mandated to help security and compliance teams establish an accurate chain of events, which is important for reporting and incident investigation.
10.5 – Secure audit trails to prevent unauthorised access and modification
Audit log tampering can be a tell-tale sign that an attacker is trying to cover their tracks, so protecting audit logs is another important part of PCI DSS Requirement 10. This requires organisations to have controls in place to prevent unauthorised log access and modification as well as conduct regular backups and file integrity monitoring.
10.6 – Review logs and security events to identify anomalies or suspicious activity
Daily log reviews, conducted either manually or automatically, is mandated to ensure that organisations proactively identify and address unauthorised access to the cardholder data environment. Regular log analysis is important to prevent breaches from going undetected for extended periods of time.
10.7 – Retain audit trail history for at least one year
Given that it can often take some time to discover that a breach has occurred, PCI DSS Requirement 10 also mandates that organisations retain logs for at least a year to ensure that events can be analysed over a long duration. Organisations must also ensure that at least three months’ worth of log data is immediately available for analysis.
10.8 – Implement a process for detecting and reporting of control system failures
This requirement, which applies to service providers only, requires a process to promptly identify and respond to failures of critical security systems. Critical security systems include, but are not limited to, firewalls, antivirus, intrusion prevention, intrusion detection and file integrity monitoring systems.
10.9 – Ensure that security policies and operational procedures are in place
This final PCI DSS 10 sub-requirement requires security policies and operational procedures for monitoring access to network resources and cardholder data to be documented, in-use and known to all affected parties.
The challenges of log management and monitoring
In most cases, finding a technology or set of technologies capable of addressing PCI logging and log management requirements is not difficult. Security Information and Event Management (SIEM) tools can be particularly useful in addressing PCI DSS requirement 10, and there are plenty available. However, technology alone is not enough to achieve compliance, and expensive systems can quickly become obsolete if they are not given the attention required to unlock their value.
The problem for many businesses is that deploying, configuring, maintaining and managing the systems required to comply with PCI DSS can be time and resource intensive. No two IT environments are the same, and it takes time and specialist skills to identify and ingest logs from the right system components, effectively deploy the most suitable monitoring tools, and tune systems to differentiate between genuine threats and false positives.
Many log management systems generate a high volume of alerts and these can be difficult to manage in-house, particularly for organisations without a large, dedicated security team. An advanced level of security expertise is required to understand system outputs and swiftly respond to incidents.
The benefits of a managed service
In a growing and increasingly hostile digital landscape, no organisation can afford to stand still. This has led many organisations to turn to managed services to help address threat monitoring, detection and compliance challenges.
By enlisting the support of an outsourced team of cyber security experts, organisations can significantly improve their ability to detect and respond to threats.
A comprehensive Managed Detection and Response (MDR) service can deliver the tangible security outcomes organisations need to comply with PCI DSS requirement 10, as well as other security and compliance requirements, by providing:
- Around-the-clock access to specialist security expertise
- A range of cutting-edge network and endpoint monitoring technologies
- Aggregated security intelligence
- Independent validation of security controls and procedures
- Significantly reduced mean times to detection and response
Why choose Redscan?
Redscan’s range of award-winning managed security services are specifically designed to help organisations assess security risk, detect and respond to threats, and comply with the latest regulatory requirements.
If your business processes card transactions, protecting this highly sensitive information should be integral to your data security strategy. We have extensive experience helping organisations to understand and implement the technical and operational controls needed for PCI DSS, as well as a wide range of other compliance standards.
ThreatDetect™, our Managed Detection and Response service, combines world-class security expertise, network and endpoint detection technologies and aggregated offensive security intelligence. This enables us to hunt for, respond to and remediate threats across on-premise, cloud and hybrid environments.