This blog is part of a blog series on the 12 requirements of PCI DSS. We discuss the common challenges and explain what kind of evidence is needed to comply with the requirement. Here we discuss:
 

 

Requirement 10: Track and monitor all access to network resources and cardholder data

 

According to this requirement, the organization should develop a system to keep a track of all activities on the network so that in case of breach of information the activity logs can trace the cause of the security breach. The presence of logs in all environments allow thorough tracking, alerting, and analysis when something does go wrong.

 

The main challenges and steps to consider

 

1) It is essential to have a system that links user access to system components. This is the reason why the audit records must be enabled and active for all components in the PCI DSS environment. The audit trails should record the following events:

  • All individual users who have access to cardholder data.
  • All actions performed by an individual with administrative or root privileges.
  • Access to all audit trails.
  • Invalid logical access attempts.
  • Identification and authentication mechanisms.
  • All users with privileges elevation.
  • All changes, additions, or deletions on any account with administrative or root privileges.
  • Initialization, stop or pause of audit logs.
  • Creation and deletion of system-level objects.

2) Implement technology that synchronizes clocks in multiple systems. This condition is crucial for forensic analysis in the case of an incident.
3) Implement access control over audit records based on function segregation and physical segregation to minimize the risk that audit records will be modified.
4) Make an immediate copy of all the records in a centralized server that includes access controls to not allow their modification.
5) In order to monitor the integrity of the files that do not change regularly, but when they are modified indicate a possible compromise, implement a change detection monitoring system that generates alerts.
6) Perform a daily review of the records to identify potential problems or attempts to gain access to sensitive systems.
7) Retain audit records for at least one year, with a minimum of three months immediately available for analysis.
8) Implement a formal process for the timely detection and reporting alerts of failures of critical security control systems as such as Firewalls, IDS/IPS, FIM, Anti-virus, Physical access controls, Logical access controls, audit logging mechanisms.

The audit records are very important for the forensic analysis of incidents. This will increase the early detection of threats and failures due to the use of monitoring systems and the generation of alerts.

Need help with PCI DSS implementation? Our QSAs can help out.

Read more about:
PCI DSS requirement 1: Protecting Cardholder data environment
PCI DSS requirement 2: Change your defaults
PCI DSS requirement 3: Don’t store cardholder data  
PCI DSS requirement 4: Encryption  
PCI DSS requirement 5: Update and Scan 
PCI DSS requirement 6: Develop and maintain secure systems and applications
PCI DSS requirement 7: Restrict access to CHD 
PCI DSS requirement 8: Identify, Authenticate, and Authorize  
PCI DSS requirement 9: Restrict physical access to Cardholder data