PCI DSS and Logging
The Payment Card Industry (PCI) Data Security Standard (DSS) is an information security standard for organizations that handle branded credit cards from the major card providers (e.g., Discover, Visa, AMEX, MasterCard). While mandated by the credit card providers, it's administered by the Payment Card Industry Security Council. The standard itself is a set of requirements intended to ensure that all companies that process, store, or transmit credit card information maintain a secure environment.
This standard is built around 6 goals, and those goals are tied to 12 different requirements. These are the goals and associated requirements for PCI DSS compliance:
| Goal | DSS Requirements |
|---|---|
| Build and Maintain a Secure Network and Systems | 1. Install and Maintain Network Security Controls 2. Apply Secure Configurations to All System Components |
| Protect Account Data | 3. Protect Stored Account Data 4. Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks. |
| Maintain a Vulnerability Management Program | 5. Protect All Systems and Networks from Malicious Software. 6. Develop and Maintain Secure Systems and Software. |
| Implement Strong Access Control Measures | 7. Restrict Access to System Components and Cardholder Data by Business Need to Know 8. Identify Users and Authenticate Access to System Components. 9. Restrict Physical Access to Cardholder Data. |
| Regularly Monitor and Test Networkss | 10. Log and Monitor All Access to System Components and Cardholder Data. 11. Test Security of Systems and Networks Regularly. |
| Maintain an Information Security Policy | 12. Support Information Security with Organizational Policies and Programs. |
PCI and Log-Monitoring Requirements
Logging is a foundational component of having an appropriate Defense in Depth security strategy in place. It is so important, that PCI DSS dedicated requirements too highlighting what should be collected, and why.
There are a few different sections that dive into a bit more detail, and we'll highlight them below for easy access and reference:
The PCI DSS Glossary defines a security event as “an occurrence considered by an organization to have potential security implications to a system or its environment. In the context of PCI DSS, security events identify suspicious or anomalous activity.” Because of the potential ambiguity with this language, PCI DSS goes on to more clearly specify the type of events that must be logged in requirement 10.2,.
| Requirement | Sub Requirements |
|---|---|
| 10.2 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. | 10.2.1 Audit logs are enabled and active for all
system components and cardholder data. 10.2.2 Audit logs record the following details for each auditable event:
|
They go deeper into section 10.2.1:
| Requirement | Sub Requirements |
|---|---|
| 10.2.1 Audit logs are enabled and active for all system components and cardholder data. | 10.2.1.1 Audit logs capture all individual user
access to cardholder data. 10.2.1.2 Audit logs capture all actions taken by any individual with administrative access, including any interactive use of application or system accounts. 10.2.1.3 Audit logs capture all access to audit logs. 10.2.1.4 Audit logs capture all invalid logical access attempts. 10.2.1.5 Audit logs capture all changes to identification and authentication credentials including, but not limited to:
10.2.1.6 Audit logs capture the following:
10.2.1.7 Audit logs capture all creation and deletion of system-level objects. |
While collecting, and knowing what to collect, are critical there is another very important element which ensures logs can be relied on when they are needed, and that is to ensure logs can never be modified. It is so important, it has a dedicated requirement in 10.3.
| Requirement | Sub Requirements |
|---|---|
| 10.3 Audit logs are protected from destruction and unauthorized modifications | 10.3.1 Read access to audit logs files is limited to those with a job-related need. 10.3.2 Audit log files are protected to prevent modifications by individuals. 10.3.3 Audit log files, including those for external facing technologies, are promptly backed up to a secure, central, internal log server(s) or other media that is difficult to modify 10.3.4 File integrity monitoring or change-detection mechanisms is used on audit logs to ensure that existing log data cannot be changed without generating alerts. |
Lastly, logs are only as good as they are available. Too often organizations make the mistake of rotating logs too quickly making it impossible to understand what might have occurred when an incident occurs. It's why PCI DSS focuses on retention in requirement 10.5.
| Requirement | Sub Requirements |
|---|---|
| 10.5 Audit log history is retained and available for analysis | 10.5.1 Retain audit log history for at least 12 months, with at least the most recent three months immediately available for analysis. |
Trunc Solves PCI Logging Requirements
With Trunc, organizations are able to easily send all their logs to one centralized location. From there, their teams can easily access, analyze and parse the logs as needed. It also provides a mechanism to ensure the integrity of the logs, making it impossible for users and bad actors to modify and ensuring you have a source of truth in the event of an incident.
