PCI DSS Blog Series – Requirement 10

The Payment Card Industry Data Security Standard (PCI DSS) consists of nearly 400 individual controls and is a critical part of staying in business for any merchant, service provider, or subservice provider who is involved in handling cardholder data. We find that companies considering PCI are often caught off guard by how comprehensive the PCI DSS is. So, we thought we would help!

CompliancePoint’s PCI blog series will analyze each of the 12 Requirement families. We will outline common challenges our customers face with each requirement, answer some frequently asked questions, and provide some pro tips on becoming PCI certified.

This next entry of the PCI Series is Requirement 10: Track and monitor all access to network resources and cardholder data

Requirement 10: Track and monitor all access to network resources and cardholder data

PCI DSS Requirement 10 relates to the monitoring and tracking of individual access to system components, applications, databases, or any other device where cardholder data can be stored, processed, or transmitted.

The monitoring of authorized resources access and use of the network components is considered vital to protecting cardholder data and more.  The implementation of an automated or manual system, supported by a robust process of audit log review, serves to provide an organization with a level of protection that enhances its overall control environment.

An organization should be certain that the configuration and operation of such a system, and review process, includes all in-scope network components and collects the level of information required by the PCI DSS Council.

Common Challenges:

There can be several challenges presented during the setup of a system designed to monitor internal and external user activity.  Common challenges faced by many organizations can include the following:

• Definition and inclusion of all PCI DSS in-scope components
  • Identification of all in-scope components is critical to the protection of cardholder data.  In some cases, definition can be the most challenging task if/when an organization is not aware of what component should be considered in scope for PCI DSS compliance.
• Configuration of an automated logging solution that provides timely and telling notification
  • Notification of when an event occurs and by what medium can also be a challenging task.  In many instances, notification options are not properly set up to notify the appropriate person(s) in a timely fashion.  This offers a malicious user every opportunity to manipulate and/or collect cardholder data.
• Resource availability to review logged activity in a timely fashion
  • The availability of resources to review logged activity, including the outside notification of potential malicious behavior, is essential to the protection of the components and cardholder data. A review of logged activity can identify a need to enhance what is logged, how frequently logs are generated, and more.

Addressing these challenges can ensure that unauthorized activity does not go unnoticed and/or unaddressed, which positions an organization to ensure this layer of protection is properly implemented.

Tips for Success:

The successful implementation of an audit and logging solution can and should be regarded as a high priority for any organization interested in the true protection of PCI DSS-related information and more.  Access to and use of these types of information is paramount to ensuring that the components and data are being used by authorized resources and for authorized business use.  An organization’s road to a successful implementation and maintenance should include the following:

• Management support
  • The necessity for such a solution should be communicated by the highest ranks of management with capital and human resources made available
• Identification of a solution
  • The selection of an appropriate automated solution or definition of a manual process serves as the first step in ensuring authorized access to and use of cardholder data
• Definition of all supporting processes
  • The collection of logged data is just one part of providing adequate protection.  An organization should take the necessary steps to review the data and ensure it is authorized to access and use.

Conclusion

Requirement 10 strives to ensure safe and reliable transfer of cardholder data via the monitoring and analysis of in-scope network component activity logs.

To remain compliant with the standard, organizations face an uphill battle to protect customer data against a multitude of threats, the list of which grows daily. 

Organizations within varied industries face these challenges and more:

• Centralized logging
  • The PCI DSS standard requires the gathering of log data into one central location for review and root-cause analysis and audit queries should a vulnerability be found.
• Daily reviews
  • The PCI DSS standard calls for frequent review of activity and logs so that anomalies or threats are proactively addressed and don’t have time to fester in your environment.
• Data retention
  • In most instances, you will be able to purge the data once a successful audit report is completed and rely on the audit report to address any compliance questions that arise.

Strong, sound internal policies for your compliance team can address these challenges.

Check Out Other Posts in this Series

• PCI DSS Requirement 1: Install and maintain a firewall configuration to protect cardholder data
• PCI DSS Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
• PCI DSS Requirement 3: Protect stored cardholder data
• PCI DSS Requirement 4: Encrypt transmission of cardholder data across open, public networks
• PCI DSS Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs
• PCI DSS Requirement 6: Develop and maintain secure systems and applications
• PCI DSS Requirement 7: Restrict access to cardholder data by business need to know
• PCI DSS Requirement 8: Identify and authenticate access to system components
• PCI DSS Requirement 9: Restrict physical access to cardholder data
• PCI DSS Requirement 10: Track and monitor all access to network resources and cardholder data
• PCI DSS Requirement 11: Regularly test security systems and processes
• PCI DSS Requirement 12: Maintain a policy that addresses information security for all personnel

CompliancePoint is a Qualified Security Assessor Company (QSAC). Our consultants have decades of experience as practitioners and auditors. Please reach out to us at connect@compliancepoint.com if you have any questions about this requirement or how CompliancePoint can assist your organization with preparing for your PCI DSS Certification.