Log Management and PCI-DSS

Log management and PCI-DSS are connected for several reasons. PCI-DSS (Payment Card Industry Data Security Standard) is a set of compliance standards for the protection of consumer payments and financial data. Organizations that handle payment card information are required to comply with PCI-DSS. To meet these requirements, security guidelines are provided that organizations must adhere to.

What are the requirements of PCI-DSS?

The 12 requirements for compliance with the standard are as follows:

1. Install and maintain a network security control.
2. Apply secure configurations to all system components.
3. Protect stored consumer financial data.
4. Protect and encrypt cardholder data during transmission.
5. Protect systems and networks from malware.
6. Develop and maintain secure systems and applications.
7. Restrict access to data based on the principle of least privilege.
8. Track and monitor access to network resources storing cardholder data.
9. Restrict physical access to cardholder data.
10. Record and monitor access to network resources storing cardholder data.
11. Regularly test security systems and processes.
12. Maintain security policies and ensure employees are aware of them.

Requirement #10 of PCI-DSS: Log Management

Within requirement number 10, organizations are required to record and monitor access to network resources storing cardholder data. Logging mechanisms and the ability to track user activities are essential for preventing, detecting, or minimizing the impact of a data breach.

Having access to log records across all system components and the Cardholder Data Environment (CDE) allows for thorough analysis in the event of cybersecurity incidents. Without log records, it becomes very difficult, if not impossible, to understand the who, what, how, and when of a data breach. Requirement 10 further defines what is meant by logging and monitoring. Specifically, it includes the following:

10.1 Logging and monitoring processes and mechanisms for accessing systems and cardholder data are defined and documented. 10.2 Logs are implemented to support anomaly detection, suspicious activities, and forensic analysis of events. 10.3 Logs are protected from unauthorized modification and deletion. 10.4 Logs are regularly observed to identify anomalies and suspicious activities based on risk analysis. 10.5 Logs are retained and made available for analysis. Specifically, retention should be at least one year, with the last three months always available for analysis. 10.6 Systems are synchronized through synchronization technologies. 10.7 Failures in critical security control systems are identifiable, reportable, and can be promptly addressed.

If you would like more information about log management software, whether cloud-based or on-premise, please fill out the form below!