Each of the twelve PCI DSS requirements performs a standard function to ensure that all companies that process, store or transmit credit card information create a secure environment. While every PCI DSS requirement is essential for even the smallest businesses, some may be more difficult to meet than others.
If you do not have detailed information about how and when your data was accessed, updated, or deleted, you will not be able to detect attacks on your systems. Also, you have limited information to investigate, especially if something goes wrong after a data breach.
Fortunately, PCI DSS Requirement 10 demands that audit logs be maintained, monitored, and maintained to avoid the worst outcomes mentioned above.
If you’re trying to be comply with PCI DSS and have been looking at PCI DSS Requirement 10 and wondering what to do, then you are not alone. This requirement poses some of the biggest hurdles for organizations trying to comply with PCI.
However, PCI DSS Requirement 10 was not established to enforce compliance objectives. It was created because you need a method to identify users who access sensitive data in your Cardholder Data Environment (CDE) as “who, what, where, and when” and to capture, evaluate, store and monitor violations.
Audit logs play a vital role in PCI DSS and are crucial to identify potential risks, weaknesses, breaches, and breach prevention and resolution. The challenge is to meet the requirements of each subsection of this control and update and interpret logs, reports generated for 365 days after each log operation, and manage all these logs and reports.
The requirements listed above can be daunting for a company that needs an annual audit. Unfortunately, businesses at both PCI Level 1 and PCI Level 2 have no other choice. PCI DSS enforces the requirements because it is one of the most critical PCI DSS controls required for PCI compliance and customer data security. Collecting these logs and reports and providing evidence that they have lasted for a year is vital to your business and cardholder data security.
What should you do to meet the PCI DSS Logging and Monitoring requirements?
Identify Your PCI-Related Log Data Sources
Suppose you’ve set the boundaries of your cardholder data environment (CDE). In that case, the next step to meeting the PCI DSS logging and monitoring requirements is to find and classify the critical entities for which you want to collect event logs.
Assets may somehow process, store or transmit cardholder data. You must also import log data of the network infrastructure systems that access and monitor these systems.
If you are unsure of which devices are within your PCI audit scope, you can perform discovery by initiating an automatic asset discovery scan. To recognize all online IP systems and the services running on these networks and related known vulnerabilities, it would be best if you scanned your environment.
You can also create asset groups to classify which assets are covered by your PCI audit, and you can also perform vulnerability scans on those specific groups.
Set up a Log Management System
Companies should review their audit logs regularly to check for deviating errors, anomalies, or suspicious activity.
A log alert alerts you when there is a potentially dangerous situation on your network, acting as a red flag. It is unrealistic to manually check all logs every day, as they generate large amounts of daily data from transactions.
Audit log management and tracking software performs this task by using rules to automate the log inspection and only alert events that may reveal problems. It also provides real-time monitoring that alerts you when unusual actions are observed via e-mail or message.
Daily monitoring tools come with presets to alert by default. However, since not all network and system designs are the same, it is crucial to configure alert rules correctly.
Analyze Log Data in Case Studies
Some examples of log monitoring use cases are to assist with incident investigations and response processes. It is, therefore, easy to understand. In addition to mitigating the risks leading to the infringement, any access to cardholder data that results in a security breach would entail in-depth follow-up of the forensic investigation. Besides, it should be easy to identify root causes of potential risks and exposures and screen from any angle.
Analyzing log data is critical to ensure that the original log data is securely collected and stored for any IT security incident or forensic investigation and has not been altered in any way.
Additionally, PCI DSS Requirement 10.7 requires you to keep audit history for at least one year, and at least three months of data must be available for immediate review.
Relate Log Data to Threat Intelligence
Another essential aspect of PCI DSS Requirement 10 is the daily review of log records (PCI DSS Requirement 10.6.1). This regular log review is also explicitly required by the standard for all systems performing security functions, including IDS, firewalls, and authentication services.
It would be incredibly tedious to do regular daily analysis of all your vital systems manually and at the same time leave you little time to do your current work. Also, it is not easy to determine which events are important or how many different events are related without the security context.
What is the PCI DSS Log Management Requirements?
Below are a few actions you should remember when creating the rules for your daily log management and monitoring system. The following steps allow you to take the necessary measures to demonstrate your PCI compliance:
- Establish a system or process that links user access to system components and ensures that inappropriate user behavior can be traced to a specific user. Create audit trails that show that the system administrator has received and followed suspicious activity alerts.
- Record all individual CDE accesses to show that new or unauthorized user accounts do not reach networks and systems.
- Be sure to keep records of activities performed by “admin” or “root” accounts that indicate possible abuse of these accounts and can be traced back to specific and individual action.
- Maintain audit log file integrity to track changes, additions, and deletions to records.
- Track and record invalid login attempt to monitor password guesses or brute force attacks.
- Maintain records identifying activities that indicate abuse of authentication controls or events attempting to hide by impersonating a legitimate account, including records that verify transactions, the elevation of privileges, and changes to root or administrator accounts.
- Track and record flaws in audit tracing processes.
- Maintain records showing that system-level objects, such as databases or retention procedures, were not created or deleted by unauthorized accounts.
- Maintain an event log that records user ID, event type, date/time stamp, success/failure indicator, event source and affected data, system component, or resource ID/name for all system components.
- Synchronize clocks between networks so forensic teams can accurately identify exact sequences.
- Use the principle of least privilege in accessing audit logs to protect information security and integrity.
- Back up logs to a central server or media while preserving the integrity of the data.
- Write logs directly to a secure internal system or media, or unload or copy them from external systems.
- Use file integrity monitoring or change detection systems to ensure that audit log changes that could indicate a compromise are notified.
- Participate in daily reviews of the diary manually or using a tool to collect, read or alert logs.
- Conduct daily security review for unusual behavior alerts or alarms and take logs of critical components of the network.
- Schedule regular checks of all network components that reveal potential problems or attempt to gain access to critical systems using less critical systems.
- Document the investigations of exceptions and anomalies.
- Keep all audit log records for at least one year.
- Make sure staff are trained and are aware of logging and monitoring policies.
Prepare the appropriate ground for a way to link the access and operation of the various system components in the CDE to monitor, record, and report any user or administrator activity.
However, a small or large IT team may not perform the controls as mentioned above manually. The most effective way to track and document events are to automate this long list of daily activities.
Automation will ensure that documents are available in the event of a security attack or data theft and will help reproduce the incident to determine the cause of a breach.
Data monitoring and collection makes no sense unless the information collected is complete. Whether there is a successful logging or a failed logging should show the username when the user logs in and the chronological course of the actions.
An administrator or user who has been given access or processing privileges to the logs should be checked and their actions recorded so that the logs are never changed. The Qualified Security Assessor (QSA) will verify and validate all parts of the logging and monitoring requirement.
What Does The Requirement For PCI DSS Daily Log Monitoring Means To You?
In short, log records mean you need to distinguish who is logging into or using a system at any time, what they are doing in the system, and whether they access the system in person or via an electronic connection.
PCI DSS specifies the controls in requirement ten as they are the most efficient method of identifying users accessing electronic system data. When all these elements are applied correctly and functionally, it can create a state of denial that allows a user to be unable to take, appeal or deny the action in question. In reality, there is hardly any denying that you can effectively sue someone for online fraud or illegal activity.
PCI DSS is open about auditing and logging requirements. Here are some of the requirements and why they are essential:
Maintenance of audit trails
PCI DSS Requirement 10 clearly states that certain activities must be recorded for automated audit trails for all system components, mainly data being read, written, or modified. Such items include external systems and security systems such as firewalls, intrusion detection and intrusion prevention practices, and authentication servers.
Additionally, PCI DSS explains how to collect detailed information to know who, what, where, when, and how to access all data. For example, any user root or administrator access should be logged significantly when a privileged user increases their privileges before accessing data.
PCI DSS Requirement 10.4 also requires configuring all cardholder data media system components to obtain accurate time synchronization data. If you don’t have the time synchronization capability yet, you may need to update your systems.
An essential piece of information for logging in is a good indication of any failed access attempt, a brute force attack, or constant guessing of passwords, especially if there are too many access log entries.
You will need to document add-ons and deletions, such as extended access privileges, lower authentication limits, temporary log deactivation, and software modification that may indicate malware.
Assign unique usernames to users through a documented process.
Assigning unique usernames to users means recognizing the user or the access code who consistently acted on the question. For example, if I logged in to the system as a user “alen,” the system will always monitor my username actions and link me to each one.
When Bob and Sally have the same user account and later revealed that the account had removed an essential piece of data, it will be even more difficult to prove which person did the action.
Logging of access to an application or system-generated logs and audit trails.
When anyone can log in and delete records, the user can essentially prevent you from showing that they are performing the activity in question, such as transferring money from one account to another or accessing confidential data.
Administrators should be the only system users with access to view, change or delete logs. Even then, you should be able to uniquely identify which administrator did this by ensuring that multiple users are not using a shared administrator account.
After you create your audit records, you must ensure that the records are protected not to be altered. It would be best to use a centralized PCI DSS logging solution with restricted access and the ability to retain log data from all device components in the cardholder data environment for at least 90 days. You should also keep one-year records.
Ensuring the correct time is set for devices and applications.
Timestamps are a piece of data associated with each action, indicating when the action occurred, as they provide a time window in which malicious or inappropriate activity occurred. As analysts try to recreate the event, they need to know who was logged in and what other activities took place during that period.
Without synchronizing clocks over various networks, analyzing logs and generating a series of events can be nearly impossible. Therefore, time synchronization technology such as Network Time Protocol (NTP) is essential to help security and compliance teams create an accurate sequence of events necessary to monitor and investigate circumstances.
Regularly reviewing logs
In addition to ensuring that accurate information is generated, centrally stored, and protected from unauthorized access or modification, you should monitor your logs and security events, at least regularly, with alerts that need to be reviewed at any time of the day or night. This requirement helps you identify any suspected anomalies and activities.
Daily monitoring helps you detect offensive or inappropriate actions sooner. Viewing logs may require a single person to look through the logs line by line; however, most organizations today use automatic log reading software to detect interesting or strange events according to predetermined criteria. Administrators are notified of anomalies caused by e-mail alerts.
Maintain an audit record for a period of one year.
Because it can take some time to learn that a breach has occurred, PCI DSS Requirement 10 requires organizations to retain records for at least a year to ensure incidents can be reviewed for an extended period. Organizations should also ensure that their daily data are available for immediate review for at least three months.
Make sure security policies and operational procedures are in place.
The final PCI DSS 10 sub-requirement specifies that all interested parties are registered, used, and identified by security protocols and operating procedures for controlling access to network resources and cardholder data.
What are the Challenges of PCI Log Management and Monitoring?
In most cases, it is not difficult to find a technology or technology cluster that can meet PCI DSS logging and log management requirements. Security Information and Event Management (SIEM) tools can be handy for the 10th requirement of PCI DSS and are also widely available on the market.
However, technology alone is not enough to ensure compatibility, and costly systems will quickly become unnecessary and dysfunctional unless care is taken to uncover their value.
Many companies’ challenge is that installing, configuring, maintaining, and managing the systems required for compliance with PCI DSS can be time and resource-intensive. IT environments are often dissimilar.
It takes time and expertise to recognize and process logs from the right system components, efficiently implement the most appropriate monitoring devices and set up systems to distinguish between real threats and false positives.
Many day-to-day management systems generate high-volume alerts, and these can be difficult to manage in-house, especially for organizations that do not have large, dedicated security personnel. Advanced security expertise is required to understand device outputs and respond quickly to alerts.
Daily Log Monitoring and PCI DSS Compliance
As we advance, compliance with this requirement should be simple because most software packages and applications come equipped to achieve the level of logging required for compliance. However, this functionality is not always available out of the box.
When selecting software and application vendors for use in the PCI environment, ensure they have all the specifications outlined in PCI DSS Requirement 10. These features are generally supported out of the box for all modern operating systems, including Windows, Linux, and Mac OS. However, some of them require extra work to turn on certain features and adjust to the correct settings.
Daily monitoring provided faster response time to security events and increased security system efficiency. Log analysis and routine monitoring demonstrate your ability to comply with PCI DSS requirements and allow you to protect yourself against attacks from inside and outside.
Keep in mind that the PCI DSS is all about intention and the purpose here is to reproduce a computer crime or data breach to determine when it happened, how it happened, and who did it.
Organizations that can demonstrate this capability can not only comply with the purpose and meticulousness of the PCI DSS but also ensure that any data breach can be easily detected and thoroughly investigated.