Safeguarding sensitive cardholder data starts with mitigating risks to the IT infrastructure that handles this information. One way to do so is to comply with the PCI logging requirements, which guide you on how to audit the IT infrastructure that handles sensitive data and the controls that protect it. Read on to learn about the requirements and how to follow them.
What are the PCI Logging Requirements?
Compliance with the PCI logging requirements is one of the most critical steps to help you identify potential risks to cardholder data. Audit logs will help you track events that can compromise the integrity of cardholder data as it is processed, stored, or transmitted.
Below, we’ll cover:
- Why you should comply with the PCI logging requirements
- An overview of the PCI DSS logging requirements
The most effective way to optimize compliance with the PCI logging requirements is to partner with an experienced PCI compliance advisor, who will help mitigate data breach risks to any sensitive cardholder data you handle.
Why Comply with the PCI Logging Requirements?
The Payment Card Industry (PCI) Data Security Standards (DSS) were developed to help organizations safeguard the cardholder data (CHD) they handle. Whether you take card payments at point-of-sale (POS) terminals, via an online payment portal, or another means, the requirements of the PCI DSS apply to you.
Compliance with the PCI logging requirements helps increase your visibility into CHD environments (CDE). Establishing effective PCI logging mechanisms is crucial to identifying risks to your CDE early on and preventing them from becoming full-blown threats.
You will find the PCI DSS logging requirements even more crucial to your security posture if multiple systems are involved in collecting, storing, processing, or transmitting CHD. These requirements also apply to internal and external system users, such as employees, contractors, vendors, or other related third parties—but not to the cardholder’s themselves.
Breakdown of the PCI Logging Requirements
The latest version of the PCI DSS, version 4.0, comprises 12 Requirements, which help organizations keep CHD safe at rest and in transit. These Requirements are structured such that any organization can follow them to achieve a high security standard, short- and long-term.
PCI DSS Requirement 10 specifically covers the PCI logging requirements and is broken down into seven sub-sections, as follows:
Assess your PCI compliance
Requirement 10.1 – Define and Document Logging Processes
Per Requirement 10.1, the security policies and operational processes developed from the PCI logging requirements must be:
- Documented for all personnel to access and reference
- Up-to-date with current industry standards and security requirements
- Actively used by all required personnel
- Disseminated to all relevant parties
Most importantly, these security policies and operational processes must evolve with changes in card payment technologies, organizational processes, or business objectives.
For the PCI logging requirements to be met, there must be sufficient oversight of the policies’ implementation—ensuring that security objectives match the controls you currently implement.
To help you achieve robust implementation of the PCI logging requirements, DSS Requirement 10 recommends assigning day-to-day roles and responsibilities, ensuring full accountability.
Ensuring that designated personnel fully understand and formally accept their assigned responsibilities will help minimize gaps in PCI logging implementation. An effective way to do so is with the help of a responsibility assignment matrix (also called RACI matrix) to track which personnel are responsible, accountable, consulted, and informed of all PCI logging processes.
Requirement 10.2 – Use Audit Logs to Detect Unusual System Activity
PCI DSS Requirement 10.2 mandates the implementation of audit logs to help detect any suspicious system activity before it can turn into an active threat(s). Compliance with DSS Requirement 10.2 starts with installing audit logs on all systems you use to handle CHD and ensuring these logs remain active as CHD is processed. These logs are also crucial to keeping track of all the individuals that access CDE and flagging any unusual events within the CDE.
Implementing audit logs in compliance with the PCI logging requirements will also help you:
- Optimize threat detection – Audit logs can be used as part of intrusion-detection systems (IDS) or security information and event monitoring (SIEM) solutions to alert system administrators to potential security threats to the CDE.
- Conduct forensic analysis – Audit logs are also essential to conducting security incident forensics, helping you track the origin of such events and optimize security controls for future risk mitigation. These logs also promptly identify which CHD accounts are potentially compromised when security incidents occur.
- Identify misuse of access privileges – In instances where users with administrator-level access misuse their privileges, audit logs can provide evidence of any actions these individuals perform.
- Track all access attempts – Audit logs are also critical to registering all user access attempts to audit logs, especially those identified as invalid logins with relation to malicious activity (e.g., brute force logins).
- Log changes to credentials and system objects – Any modification of access credentials via the creation of new accounts or elevation of privileges can be tracked with audit logs. Additionally, they can help track unusual modifications to system objects, an attack vector characteristic of malware.
When creating audit logs, you must also ensure that they record:
- The type of event logged
- Date and time a specific event occurred
- Indication of the success or failure of the security event
- How and where the security event started
- Assets affected by an incident, such as:
- Specific CHD or CDE
- System component (e.g., network)
- Resource (e.g., server)
- Service (e.g., payment portal)
In addition, you must ensure that audit logs collect sufficient data to aid threat detection processes or downstream forensic analysis, should a security event occur.
Requirement 10.3 – Safeguard Audit Logs from Alteration or Destruction
According to PCI DSS Requirement 10.3, you must protect the integrity of audit logs by minimizing their destruction and unauthorized modification. To meet the PCI logging requirements, your organization should implement measures such as:
- Restricting access to logs – Only users whose specific job responsibilities require access to audit logs should have read access to these files. Since audit logs often contain sensitive information, only designated individuals should be granted access on a need-to-know basis.
- Preventing log modification – Any modification of audit logs can compromise the integrity and accuracy of forensic analysis if a security incident occurs. Audit logs should therefore be protected with physical or logical access controls to prevent malicious actors from accessing and modifying these files.
- Backing up log files – Keeping a backup of audit log files on a secure, central, internal server or other media device is critical to mitigating the loss of these files, should your system become compromised by a security threat. It is also crucial that backups are made promptly to a protected server or media device, preferably an external one to minimize the risks of data loss or alteration.
- Monitoring log file integrity – Deploying file integrity monitoring or change-detection systems on audit logs will ensure that any changes to the log data will trigger alerts to security administrators.
Safeguarding the integrity of audit logs will keep them accurate and streamline forensic analysis in the event of a security incident. Automating any alerts of log tampering will also help prevent cybercriminals and their accomplices from covering their tracks during a potential cyberattack.
Requirement 10.4 – Review Audit Logs for Anomalies
Compliance with the PCI logging requirements also requires consistent reviews of audit logs to identify any unusual activity. Since most attacks are undetected when they start, conducting ongoing reviews of audit logs helps promptly identify threats before they become attacks.
Per Requirement 10.4, you must review the following audit logs at least once per day:
- All security events recorded in the logs (e.g., the elevation of account privileges)
- Logs of assets such as:
- Critical system components
- System components that process CHD or sensitive authentication data (SAD)
- Servers and other system components responsible for security tasks (e.g., intrusion detection systems (IDS) and intrusion prevention systems (IPS)
In most cases, it is challenging to manually review audit logs given the large amounts of data they generate. Automating reviews of audit logs minimizes lapses in threat detection, especially when using tools such as log harvesting or parsing.
Beyond monitoring audit logs for suspicious activity, you must ensure:
- All system logs outside of those specified above are reviewed periodically, if not once daily, to identify potential risks to those systems early on.
- Periodic log reviews are conducted at the same frequency outlined in your organization’s targeted risk analysis framework and overall security policy.
After conducting reviews of audit logs, you must promptly address any anomalies you identify, ensuring clear designations for recording log reviews, ranking identified anomalies, and escalating and remediating those considered high-risk.
Requirement 10.5 – Retain Audit Log History for Future Analysis
When it comes to the PCI log retention requirements, Requirement 10.5 mandates organizations retain audit log history and render it available for analysis at any time.
Specifically, you must retain histories of audit logs for at least 12 months, ensuring that the most recent three months of logs can be easily and immediately accessed for analysis.
Having at least 12 months of audit log history available provides an appropriate window within which investigators can identify the source of a security incident if one occurs. Plus, storing audit log history in a central location streamlines investigations and can help mitigate potential data breaches or prevent future ones from occurring.
Requirement 10.6 – Synchronize Time Settings Across Systems
When using multiple systems in different time zones to handle CHD, PCI DSS Requirement 10.6 mandates the use of time synchronization technology (e.g., Network Time Protocol (NTP)) to sync time across these systems.
Without time synchronization, it is challenging to conduct comparative analyses across different systems to identify the source of a security threat during post-breach analysis.
Synchronizing systems to a correct and consistent time involves:
- Using one or more designated time servers
- Designating a single server to receive time from external sources
- Basing time on International Atomic Time of Coordinated Universal Time (UTC)
- Accepting time updates from only industry-accepted external sources
- Configuring internal systems to receive time from only the designated central time server(s)
To prevent any changes to time configurations, only designated individuals should have access to time data and by business need.
Furthermore, all changes to time data on critical systems must be logged, monitored, and reviewed to mitigate the risks of malicious actors making unauthorized changes.
Requirement 10.7 – Identify and Manage Critical System Failures
When critical systems start to fail, it is essential to catch these failures early on and initiate the appropriate incident response protocols to mitigate data breaches or losses. Failures may vary across systems based on the system function or the technology in use for the particular system.
To prevent these outcomes, you must identify and promptly manage failures in critical security control systems such as:
- Network security controls
- IDS/IPS systems
- Change detection mechanisms
- Anti-malware solutions
- Physical and logical access controls
- Audit logging mechanisms
- Automated security testing tools
The above requirement also applies to service providers that handle CHD.
When security controls fail, incident response protocols must help:
- Restore critical security functions
- Identify and document the duration and cause of security failures
- Manage any security issues arising from the failures
- Mitigate future failures from occurring
- Maintain security control monitoring
Compliance with the PCI DSS logging requirements will help you safeguard CHD from data breach risks. In addition, in the event of a data breach, compliance with these requirements will help you conduct a thorough forensic analysis and mitigate any future cyberattacks.
Optimize Your Security Posture with PCI Audit Logs
Implementing PCI audit logs helps to identify potential threats to CHD early on. However, it can also streamline forensic analysis if a data breach occurs. Ultimately, the best way to comply with the PCI logging requirements and reap these benefits is to work with a PCI compliance advisor like RSI Security, who can help you meet these requirements efficiently at scale.
To learn more about PCI audit logs, contact RSI Security today!
Download Our PCI DSS Checklist
Assess where your organization currently stands with being PCI DSS compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.