Without doubt, Payment Card Industry (PCI) Data Security Standard (DSS) compliance and ratification (PCI DSS) is the major concern of all who process electronic card payments. This sector is of the utmost criticality for ecommerce (online business) and “offline” transactions alike. “Offline” being defined as transactions other than customer initiated Internet-based transaction processing.
All relevant and essential requirements for PCI DSS compliance are contained in Section 10 of the PCI DSS standard and detail those actions required (not mandatory) to monitor network activities and cardholder data access events. Fortunately the majority of the audit logs that must be generated for compliance with these PCI DSS stipulations also conform to the requirements of the majority of the logging and documentation aspects required by other laws and regulations.
Thus putting your house in order regarding PCI DSS compliance will have the beneficial side effect of simultaneously fulfilling the majority of the auditing and logging requirements from other areas. Thereby leaving you to custom plug the gaps as your circumstance dictate. The bean counters love this approach as it addresses their area of immediate concern first – CASH FLOW.
PCI DSS Compliance Logging Requirements
Here are the major computer, network and Internet activities that you will need to log in order to satisfy PCI DSS compliance requirements grouped by activity and class:
Synchronization – Synchronization procedures and mechanisms relating to all computer, system, network and Internet activities need to be thoroughly documented. Not only must time synchronization data accompany all logs it must also be included with specificity to every individual itemized event included in the log.
Authentication Mechanisms – Current computer, system and network authentication mechanisms need thorough documentation along with additional log information detailing such criteria as changes to authentication mechanisms, invalid authentication events, password changes, administrative authentication-related activities, change procedures and change notification procedures.
Audit Logs – Events requiring documentation and logging here include audit log accessibility, audit log access events (by whom, why, when and where), any modifications to audit logs and audit logging procedures, the clearing and destruction of audit logs. These requirements are due for all components of the network including individual computers, server computers and networking devices as well as the services offered (e.g. Internet).
Cardholder Data – You must thoroughly document cardholder data access, processes, procedures and security initiatives. This includes details of those who are explicitly authorized to access cardholder data and those who are not specifically authorized to access to cardholder information. Details concerning the assets and resources involved in these processes must also be detailed and appropriately documented.
Cardholder data related logs must include access to cardholder data events including valid and invalid events along with maintenance and formal audit access events. Other types of cardholder data related events that need logging include cardholder data storage, updating and maintenance, valid and invalid cardholder data applications and access events. Any additional actions that needed execution in relation to cardholder data, cardholder data processing as well as transaction verification and validation logging and logging requests.
System-Level Objects – You must log all system-level object events including creation, deletion, modifications and read-only events. This includes system-level events at the machine-level including workstations and clustered computer resources as well as the datacenter.
Common Network and Cardholder Access Events – All cardholder data access and/or network access events must contain user identifier, event type, event date and time, attempt result (success/failure), event origin and resource identity attributes such as the data file name, system component, computer, network, application, modifications, administrative activities etc.
Security Policies Documentation – All applicable security related aspects concerning payment card transactions and processing must be logged, documented and retained. This includes proactive and reactive measures alike on an enterprise-wide basis. If you are a one store small business then this includes all aspects of business activities that may involve the use of payment cards and electronic funds transfers.
Privacy and Privacy Regulations – Issues concerning privacy and the secure retention, and management of personally identifiable information including payment card related matters must be in accordance with any local, regional, national and international jurisdictions within which the transactions take place or cross. These processes and procedures will need to be thoroughly documented and supported with the appropriate relevant logs as documentary proof of compliance should a breach occur.