PCI DSS Requirement 10 requires all merchants to “establish a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user.”
This requirement focuses on tracking and logging, both critical aspects of data protection. Requirement 10 safe-keeps the reliable transfer of payment and credit card data through the analysis and monitoring of PCI system activity logs. PCI DSS Requirement 10 helps determine the cause of a data breach by enforcing guidelines on tracking user activities.
More importantly, PCI DSS Requirement 10 is crucial in preventing, detecting, and eliminating the potential causes of a data breach from happening in the first place.
Essential Factors of Security and Compliance
PCI DSS Requirement 10 recognizes the need for organizations to have security and compliance in their digital environment. But there is no cookie-cutter solution for all organizations. Companies will have varying needs depending on their industry, complexity, and scale.
There are organizations that maintain their traditional infrastructure by having an on-premise data center. On the other hand, some businesses rely on modern cloud services that outsource their resources.
Whatever the network architecture of a company, there are essential factors that compliance experts and security consultants must focus their attention on:
Organizations must be mindful of their logging data. Compliance requires constant proof that the logs are immutable and that cybercriminals can’t tamper with them without leaving any evidence.
Immutable logs are hallmarks of PCI DSS Requirement 10. Companies should demonstrate that their network can audit who has access to vital data, when, how, and why. The reporting accountability system must always prove that the logs are unaltered.
Cybercriminals have various ways to bypass PCI DSS Requirement 10. The most common is log disabling, where hackers hide the digital trail they leave behind by turning off the logging mechanism.
Another methodology is to break into the storage cache of logs and delete its evidence that they tampered with the system.
The Internet is not a room with only one door; it has alternate doors and various windows. In your digital environment, data typically passes through multiple entry points online. For example, smartphones can connect via a wireless access point with the help of a router. Credit card data course through terminals on its way to merchants.
PCI DSS Requirement 10 assigns the responsibility of data security in the hands of organizations and businesses. Cardholder data and other sensitive personal information is the priority at all times.
Compliance with PCI DSS Requirement 10 entails properly tracking what happens to clients’ personal information and cardholder data. This includes the sending and processing of the data. The task can be complex because several network devices keep logs of their own.
With centralized logging, an organization must scan the logs thoroughly to find vulnerabilities before cybercriminals can exploit these. Even if the data comes from numerous devices, all this information must only be in one central location for root-cause analysis and review.
The following methods are highly recommended for centralized logging:
- Raw data dumps
- Real-time aggregation of logs
- Machine learning technologies
- Analysis of anomalies
- Pre-designated actions for security incidents
Machine learning can quickly detect data trends and exceptions over a period of time, minimizing the likelihood of a company falling out of compliance.
There must be a strict and precise internal policy about log data retention that all personnel must thoroughly understand. Organizations must strive to avoid having logs with suspicious activity such as purging or overwriting.
In typical infrastructure setups, annual data retention ranges include nine-month of cold storage and three months of hot storage. Cost-efficiency is the objective of this allocation of resources.
IT personnel typically purge data after every successful audit report. If any compliance issue will arise, the audit report becomes the point of reference instead of the purged data.
Data retention is a crucial factor that determines the compliance passing rate of an organization. The native, cloud, or hybrid network must be a vulnerable and living entity in a hostile environment. Planning for data retention will help defend the health and safety of the digital environment.
Self-audit is an essential component of the PCI DSS Requirement 10. The organization must have personnel that will monitor routers, firewalls, and other vital internal equipment regularly.
The compliance guideline indicates that daily reviews of logs and activity is essential to detect attacks and anomalies as soon as possible. Procrastination will enable cybercriminals sufficient time to infest the network.
The access and analysis of the logs must be available at a moment’s notice.
Version 3.2 of Requirement 10 and Recent Changes
New specifications became part of Version 3.2 of the PCI DSS Requirement 10.
Organizations must move away from Secure Socket Layer (SSL) and early Transport Layer Security (TLS) because various vulnerabilities emerged from these systems during its 20-year run as an industry standard for secure encrypted transactions.
TLS v1.3 is a safer alternative under Requirement 10 version 3.2. Moreover, there is a sunset deadline when organizations must make the switch. Experts encourage organizations to make the switch as early as possible to avoid cramming.
There are other aspects of Version 3.2 that organizations must be familiar with for full compliance:
When the technology of multi-factor authentication became available, it quickly became a best practice. The effectiveness of multi-factor authentication elevated its importance into a complete requirement under PCI DSS guidelines.
Multi-factor authentication significantly boosts the security of digital transactions. Password validation is no longer sufficient in protecting because of the advancement of cybercriminals. A secondary method that usually comes in biometric authentication or a security token will fulfill the Requirement 10 compliance.
Biannual Deep Penetration Testing
The revised Requirement 10 asks for more scans beyond the previous daily audit tasks. Qualified external auditors must probe the digital environment for gaps and vulnerabilities every six months to report results.
Deep penetration testing is extensive and can assess the risk posture of the organization and the potential threats that can attack the system. This requirement will simulate all possible intrusions and find out weaknesses that cybercriminals may exploit.
‘Evolving Requirements’ is a term from the PCI Security Standards Council. In a nutshell, it refers to the “changes to ensure that standards are up to date with emerging threats and changes in the market.”
The only constant in the digital world is that there will always be malicious threats seeking to exploit vital corporate data for their gain.
The PCI DSS guidelines empower organizations to be proactive instead of waiting helplessly for cybercriminals. In addition, the new revisions for Requirement 10 encourage companies to be flexible and comprehensive in crafting their cybersecurity defense for compliance.
Evolving Requirements cover specifications that are dependent on the scale and size of the organization. The basic needs include constant updates about the latest regulation changes and an updated matrix of digital threats.
User-owned devices are also integral in a compliance plan. The advent of hybrid cloud infrastructure enabled the inclusion of smartphones, tablets, and external devices within the digital environment of an organization. Gone are the days when everything should be within the internal network of the company.
However, these devices may have robust capabilities, but they also present complicated compliance issues.
Evolving Requirements recognizes the need to adjust policies for user-owned devices to strengthen the security of the entire digital environment.
To fulfill the provisions of PCI DSS Requirement 10, the following compliance efforts can help an organization:
Write in Layman Terms
The typical client or user will have little or no familiarity with terms such as PCI DSS Requirement 10 v3.2. The documentation should take care of this by using terminologies and prose accessible and straightforward to the end-user.
The users must be able to discern the importance of the policy and how it relates to its information.
A holistic approach and perspective can help an organization determine its strengths and weaknesses before compliance checks. External auditors will always focus on the deficiencies of the digital environment. However, an organization should have the foresight and anticipate these problems to remediate them immediately.
A complete internal audit will help establish the baselines of a company as far as its security defense is concerned. Look at the origin points of the businesses and compare them to previous learnings and future threats. Gaps and vulnerabilities may cause fear and anxiety in the beginning. But addressing them immediately will help prevent problems.
Digital Darwinism is a ferocious race between business and technology, usually ending in unfit companies failing to adapt to the fast-evolving nature of digital breakthroughs. The rapid evolution of technology is a factor when a business is trying to strive for compliance.
The changes you create may suddenly become obsolete if you fail to keep up with the latest revisions of rules and regulations.
To overcome Digital Darwinism, the organization must commit resources to study best practices in the payment card industry regularly, not just for mandatory compliance checks. There is no room for complacency, especially with cybercriminals upgrading their capacity to harm.
Inclusion of Personnel
IT policy changes that leave essential personnel confused or scrambling will be counterproductive for the organization. Therefore, any significant changes that a company undertakes for PCI DSS Requirement 10 compliance must have transparent consultation with key staff.
Any sudden revisions in how personnel carries out their basic tasks can significantly affect daily operations. Therefore, make sure everyone is on the same page, and if possible, ensure that integral employees can provide vital inputs.
The Payment Card Industry DSS
PCI DSS or the Payment Card Industry Data Security Standard is a standard for information security, specifically for organizations that handle credit card data from major brands. The mandate is from the card brands, but its administration is by the Payment Card Industry Security Standards Council.
The objective of the standard is to reduce and eliminate credit card fraud and crime. There are several controls in place to make sure this happens.
Compliance comes in the form of a quarterly or annual audit that varies depending on the scale of the organization.
- Self-Assessment Questionnaire (SAQ) for small companies
- External Qualified Security Assessor (QSA) for moderate volume companies
- Firm-specific Internal Security Assessor (ISA) for large companies
Expert Guidance for PCI DSS Requirement 10
If you are a merchant organization that accepts credit card payments, you will need to comply with PCI DSS Requirement 10 and its various nuances. With cybercriminals stepping up their game, you will need an expert partner to ensure your cybersecurity defense is up to par.
Understanding the essential compliance guidelines from Immutability Proof, Centralized Logging, Data Retention, and Daily Reviews will help you stay ahead of the competition. In addition, RSI Security can be your compliance partner because our team is both a Qualified Security Assessor (QSA) and an Approved Scanning Vendor (ASV) with over 10 years of experience.
We will also help you comply with the various changes that Version 3.2 of Requirement 10 brings, such as Multi-Factor Authentication, Evolving Requirements, and Deep Penetration Testing.
Set up an appointment with a cybersecurity consultant with RSI Security, and we will promptly assist your organization in fulfilling the compliance of PCI DSS Requirement 10.
Download Our PCI DSS Checklist
Assess where your organization currently stands with being PCI DSS compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.