The PCI DSS Requirements mandate organizations that handle cardholder data to log and monitor access to sensitive data environments. Compliance with these PCI logging requirements will help successfully track network and data security in the long term. Read our blog to learn everything you need to know about these requirements.
What are the PCI Logging Requirements?
PCI DSS v4.0 outlines PCI logging requirements to help your organization secure access to sensitive data environments across your infrastructure. To explore them, this blog will cover:
- A brief overview of the PCI DSS framework
- A breakdown of the individual sub-requirements of PCI DSS Requirement 10
Implementing the processes and procedures outlined in the PCI logging requirements will help secure cardholder data and minimize the risks of data breaches, especially with the guidance of a PCI compliance advisor.
What is the PCI DSS Framework?
Compliance with the Payment Card Industry (PCI) Data Security Standards (DSS) enables organizations that handle cardholder data to keep it safe from cybersecurity threats. To effectively mitigate these fast-evolving risks from threatening your data security and integrity, you will benefit from complying with the PCI DSS Requirements. The DSS framework comprises 12 Requirements, each containing guidelines that help these organizations implement robust data security practices and safeguards to keep cardholder data (CHD) secure at all times.
As security risks evolve, the PCI Security Standards Council (SSC) releases updated guidance on how best organizations can protect CHD from being compromised. PCI DSS v4.0 is currently the most up-to-date version.
Assess your PCI compliance
Breakdown of PCI DSS Requirement 10
Within the PCI DSS v4.0, the PCI compliance logging requirements are listed in Requirement 10, which mandates card payment processors to log and monitor access to sensitive data environments within their infrastructure.
Let’s break down the guidelines listed throughout PCI DSS Requirement 10:
Requirement 10.1 – Define and Document Logging Infrastructure
When implementing processes and mechanisms for PCI logging and monitoring, personnel organization-wide must understand how these controls work and how they can implement them.
These controls are more likely to work effectively if you establish policies and procedures to guide your staff on data security best practices.
Defining and documenting PCI compliance logging policies and procedures will help:
- Keep staff updated about changes in processes, technologies, and business objectives
- Set expectations for data security standards
- Explain formally assigned roles and responsibilities
With a proper understanding of data security expectations, your staff will more effectively meet the PCI compliance logging requirements.
Requirement 10.2 – Implement Audit Logs to Detect Anomalies
Implementing audit logs will help promptly identify anomalous and suspicious events before they can develop into high-impact security threats. Audit logs will work effectively when you:
- Enable audit logs – Audit logs must be enabled for all system components and CHD environments, ensuring:
- Audit logs can transmit data to other monitoring systems (e.g., intrusion detection systems (IDS), security information and event monitoring systems (SIEM))
- Event logs are easily traceable to identify potential malicious activity
- Capture attempts to access CHD – Audit logs should capture all individual user attempts to gain access to CHD environments (CDE). Specific personnel should conduct routine examinations of audit log configurations to verify user access events are logged.
- Monitor privilege-based access – In many cases, accounts with privileged access to CDE pose a high risk to data security. Audit logs must also track access to CDE using these accounts, regardless of their access privilege levels.
- Record access to audit logs – All access attempts to audit logs must be captured to prevent malicious individuals from altering log activity. Here, effective daily log monitoring can help identify unusual changes to audit logs.
- Log changes to access credentials – Any changes to identification and authentication credentials must be logged, especially when they involve:
- Creation of new accounts
- Elevation of privileges
- Additions, deletions, or modifications of account access
Additionally, keeping track of specific details for each auditable event (e.g., user identification, type of event, or date and time) will simplify follow-up of suspicious and malicious activities.
Requirement 10.3 – Protect Audit Logs from Compromise
To safeguard audit files from being compromised by malicious individuals, PCI DSS Requirement 10.3 mandates:
- Providing audit log read access to only those users with a job-related need such that sensitive information is protected on a need-to-know basis
- Protecting audit logs from modification by deploying:
- Access control mechanisms
- Physical segregation of publicly accessible log infrastructure
- Network segregation controls
- Backing up audit files to secure central servers or other media that is not easily modifiable
- Implementing file integrity monitoring or other change detection mechanisms for all audit logs
Keeping audit logs secure will protect the integrity of these files and streamline investigations into potential malicious activity.
Requirement 10.4 – Review Audit Logs for Anomalies
Compliance with the PCI logging requirements also involved reviewing audit logs for anomalies or suspicious activity. Organizations are required to conduct PCI daily log reviews of all security events and logs of system components (critical or otherwise) that store CHD or sensitive authentication data (SAD), along with servers and system components responsible for security functions (e.g., network security controls). These audit log reviews must be conducted at a frequency defined in your risk analysis framework and in alignment with your PCI security policy.
Requirement 10.5 – Retain Audit Logs for Future Analysis
Audit log history must remain available for analysis should malicious events be identified long after the activity was logged. Organizations are required to retain audit log history for at least 12 months, keeping the most recent three months available for immediate analysis. You can retain logs by storing them online, archiving them securely, or restoring them from backups.
Requirement 10.6 – Implement Time-Synchronization Mechanisms
Implementing time-synchronization mechanisms keeps time settings consistent across all systems and audit logs. This makes it easier to track and compare audit log files recorded across different geographical locations. You can achieve time-synchronization by:
- Using time-synchronization technology for system clocks and time
- Configuring systems to correct and consistent time based on internationally-recognized standards (e.g., UTC for audit logs received from external sources)
- Protecting access to time-synchronization settings and data
If audit logs are not properly time-synchronized, investigators will find it challenging to verify the accuracy of log activity during post-incident investigations.
Requirement 10.7 – Manage Critical Security Control Failures
Any failures of critical security control systems must be promptly identified, responded to, and managed before they impact audit logs and other critical components in your infrastructure.
PCI audit logs can be impacted by failures of network security controls, audit logging mechanisms, or segmentation controls. If these controls fail, the responsible personnel must be notified to mount an immediate security response to these incidents and mitigate risks to CHD.
Although the PCI logging requirements provide guidelines for strengthening access control infrastructure, they typically work hand-in-hand with other PCI DSS Requirements. The best way to remain compliant with the entire PCI DSS framework is to understand which requirements apply to your organization’s data processing activities.
Partnering with a PCI compliance specialist will help optimize compliance across your infrastructure and keep CHD secure year-round.
Optimize PCI Compliance Logging Controls
Compliance with the PCI logging requirements will help you promptly identify, respond to, and manage potential threats to your data security. With the help of an experienced PCI compliance partner like RSI Security, your organization will optimize existing PCI logging and monitoring controls to keep CHD safe in the short and long term.
To learn more, contact RSI Security today.