The Payment Card Industry (PCI) Data Security Standard (DSS) is an information security standard for organizations that handle branded credit cards from the major card providers (e.g., Discover, Visa, AMEX, MasterCard). While mandated by the credit card providers, it's administered by the Payment Card Industry Security Council. The standard itself is a set of requirements intended to ensure that all companies that process, store, or transmit credit card information maintain a secure environment.
This standard is built around 6 goals, and those goals are tied to 12 different requirements. These are the goals and associated requirements for PCI DSS compliance:
|Build and Maintain a Secure Network and Systems||1. Install and Maintain Network Security Controls
2. Apply Secure Configurations to All System Components
|Protect Account Data||3. Protect Stored Account Data
4. Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks.
|Maintain a Vulnerability Management Program||5. Protect All Systems and Networks from Malicious Software.
6. Develop and Maintain Secure Systems and Software.
|Implement Strong Access Control Measures||7. Restrict Access to System Components and Cardholder Data by Business Need to Know
8. Identify Users and Authenticate Access to System Components.
9. Restrict Physical Access to Cardholder Data.
|Regularly Monitor and Test Networkss||10. Log and Monitor All Access to System Components and Cardholder Data.
11. Test Security of Systems and Networks Regularly.
|Maintain an Information Security Policy||12. Support Information Security with Organizational Policies and Programs.|
Logging is a foundational component of having an appropriate Defense in Depth security strategy in place. It is so important, that PCI DSS dedicated requirements too highlighting what should be collected, and why.
There are a few different sections that dive into a bit more detail, and we'll highlight them below for easy access and reference:
The PCI DSS Glossary defines a security event as “an occurrence considered by an organization to have potential security implications to a system or its environment. In the context of PCI DSS, security events identify suspicious or anomalous activity.” Because of the potential ambiguity with this language, PCI DSS goes on to more clearly specify the type of events that must be logged in requirement 10.2,.
|10.2 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.||10.2.1 Audit logs are enabled and active for all
system components and cardholder data.
10.2.2 Audit logs record the following details for each auditable event:
|10.2.1 Audit logs are enabled and active for all system components and cardholder data.||10.2.1.1 Audit logs capture all individual user
access to cardholder data.
10.2.1.2 Audit logs capture all actions taken by any individual with administrative access, including any interactive use of application or system accounts.
10.2.1.3 Audit logs capture all access to audit logs.
10.2.1.4 Audit logs capture all invalid logical access attempts.
10.2.1.5 Audit logs capture all changes to identification and authentication credentials including, but not limited to:
10.2.1.6 Audit logs capture the following:
10.2.1.7 Audit logs capture all creation and deletion of system-level objects.
|10.3 Audit logs are protected from destruction and unauthorized modifications||10.3.1 Read access to audit logs files is limited to those with a job-related need.
10.3.2 Audit log files are protected to prevent modifications by individuals.
10.3.3 Audit log files, including those for external facing technologies, are promptly backed up to a secure, central, internal log server(s) or other media that is difficult to modify
10.3.4 File integrity monitoring or change-detection mechanisms is used on audit logs to ensure that existing log data cannot be changed without generating alerts.
|10.5 Audit log history is retained and available for analysis||10.5.1 Retain audit log history for at least 12 months, with at least the most recent three months immediately available for analysis.|