PCI DSS and Logging

The Payment Card Industry (PCI) Data Security Standard (DSS) is an information security standard for organizations that handle branded credit cards from the major card providers (e.g., Discover, Visa, AMEX, MasterCard). While mandated by the credit card providers, it's administered by the Payment Card Industry Security Council. The standard itself is a set of requirements intended to ensure that all companies that process, store, or transmit credit card information maintain a secure environment.

This standard is built around 6 goals, and those goals are tied to 12 different requirements. These are the goals and associated requirements for PCI DSS compliance:

Goal DSS Requirements
Build and Maintain a Secure Network and Systems 1. Install and Maintain Network Security Controls

2. Apply Secure Configurations to All System Components
Protect Account Data 3. Protect Stored Account Data

4. Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks.
Maintain a Vulnerability Management Program 5. Protect All Systems and Networks from Malicious Software.

6. Develop and Maintain Secure Systems and Software.
Implement Strong Access Control Measures 7. Restrict Access to System Components and Cardholder Data by Business Need to Know

8. Identify Users and Authenticate Access to System Components.

9. Restrict Physical Access to Cardholder Data.
Regularly Monitor and Test Networkss 10. Log and Monitor All Access to System Components and Cardholder Data.

11. Test Security of Systems and Networks Regularly.
Maintain an Information Security Policy 12. Support Information Security with Organizational Policies and Programs.

The PCI DSS goal / requirement Trunc is best suited to help with is #5 Regularly Monitor and Test Networks specifically Requirement #10 - Track and monitor all access to network resources and cardholder data.

PCI and Log-Monitoring Requirements

Logging is a foundational component of having an appropriate Defense in Depth security strategy in place. It is so important, that PCI DSS dedicated requirements too highlighting what should be collected, and why.

There are a few different sections that dive into a bit more detail, and we'll highlight them below for easy access and reference:

The PCI DSS Glossary defines a security event as “an occurrence considered by an organization to have potential security implications to a system or its environment. In the context of PCI DSS, security events identify suspicious or anomalous activity.” Because of the potential ambiguity with this language, PCI DSS goes on to more clearly specify the type of events that must be logged in requirement 10.2,.

Requirement Sub Requirements
10.2 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. 10.2.1 Audit logs are enabled and active for all system components and cardholder data.

10.2.2 Audit logs record the following details for each auditable event:

  • User identification.
  • Type of event.
  • Date and time.
  • Success and failure indication.
  • Origination of event.
  • Identity or name of affected data, system component, resource, or service (for example, name and protocol).

They go deeper into section 10.2.1:

Requirement Sub Requirements
10.2.1 Audit logs are enabled and active for all system components and cardholder data. Audit logs capture all individual user access to cardholder data. Audit logs capture all actions taken by any individual with administrative access, including any interactive use of application or system accounts. Audit logs capture all access to audit logs. Audit logs capture all invalid logical access attempts. Audit logs capture all changes to identification and authentication credentials including, but not limited to:
  • Creation of new accounts.
  • Elevation of privileges.
  • All changes, additions, or deletions to accounts with administrative access. Audit logs capture the following:
  • All initialization of new audit logs, and
  • All starting, stopping, or pausing of the existing audit logs Audit logs capture all creation and deletion of system-level objects.

While collecting, and knowing what to collect, are critical there is another very important element which ensures logs can be relied on when they are needed, and that is to ensure logs can never be modified. It is so important, it has a dedicated requirement in 10.3.

Requirement Sub Requirements
10.3 Audit logs are protected from destruction and unauthorized modifications 10.3.1 Read access to audit logs files is limited to those with a job-related need.

10.3.2 Audit log files are protected to prevent modifications by individuals.

10.3.3 Audit log files, including those for external facing technologies, are promptly backed up to a secure, central, internal log server(s) or other media that is difficult to modify

10.3.4 File integrity monitoring or change-detection mechanisms is used on audit logs to ensure that existing log data cannot be changed without generating alerts.

Lastly, logs are only as good as they are available. Too often organizations make the mistake of rotating logs too quickly making it impossible to understand what might have occurred when an incident occurs. It's why PCI DSS focuses on retention in requirement 10.5.

Requirement Sub Requirements
10.5 Audit log history is retained and available for analysis 10.5.1 Retain audit log history for at least 12 months, with at least the most recent three months immediately available for analysis.

Trunc Solves PCI Logging Requirements

With Trunc, organizations are able to easily send all their logs to one centralized location. From there, their teams can easily access, analyze and parse the logs as needed. It also provides a mechanism to ensure the integrity of the logs, making it impossible for users and bad actors to modify and ensuring you have a source of truth in the event of an incident.

Trunc - Dashboard Search Results

Simple, affordable, log management and analysis.