If you don’t have precise details on how and when your data is being accessed, updated, or deleted, you’ll struggle to identify attacks on your systems. Also, you’ll have insufficient information to investigate if something goes wrong, especially after a data breach.
Fortunately, PCI DSS Requirement 10 calls for keeping, monitoring, and retaining comprehensive audit logs.
The standard mandates that certain activities — especially reading, writing, or modifying data (see PCI DSS Requirement 10.2) — be recorded in automated audit trails for all system components. These components include external-facing technologies and security systems, such as firewalls, intrusion-detection and intrusion-prevention systems, and authentication servers.
In addition, the standard describes how to record specific details so that you know the who, what, where, when, and how of all data accesses. Any root or administrator user access, for example, should be logged, especially when a privileged user escalates his privileges before attempting data access.
PCI DSS Requirement 10.4 also calls for all cardholder data environment system components to be configured to receive accurate time-synchronization data. If you don’t already have this capability, you may need to upgrade your systems.
One important piece of information to log is any failed access attempt — a good indicator of a brute-force attack or sustained guessing of passwords, especially if the access log has lots of entries. You must also record additions and deletions, such as increased access rights, lower authentication constraints, temporary disabling of logs, and software substitution (which could be a sign of malware).
After you create your audit logs, you must ensure that the logs are secured in such a way that they can’t be altered. You must use a centralized PCI DSS logging solution (see PCI DSS Requirement 10.5.3) with restricted access and sufficient capacity to retain at least 90 days’ worth of log data from all system components within the cardholder data environment, with the remainder of a full year available for restoration if needed.
As well as ensuring that required details are generated, centrally stored, and secured against unauthorized access or modification, you must monitor your logs and security events on at least a daily basis, with alerts requiring review at any time of day or night (see PCI DSS Requirements 10.6 and 12.10.3). This requirement helps you identify anomalies and suspicious activity.
Thales recommends you consider implementing a centralized logging solution that accounts for future capacity and includes reporting tools.
Note: This material is drawn from PCI Compliance & Data Protection for Dummies, Thales Limited Edition, by Ian Hermon and Peter Spier.