PCI compliance requirement 10: AuditingDate: Jun 01, 2009
Diana Kelley and Ed Moyle of Security Curve review PCI compliance requirement 10: "Track and monitor all access to network resources and cardholder data." PCI compliance Requirement 10 calls for:
- The maintenance of system logs and procedure that use, correlate and retain them,
The PCI experts also address common questions related to PCI compliance requirement 10, like "Does a log aggregator or correlation engine satisfy the standard?"
Watch the rest of the PCI compliance videos, as Diana Kelley and Ed Moyle offer advice requirement by requirement.
Editor's note: This video is based on PCI DSS version 1.1. For updated information on the changes in PCI DSS version 1.2, see the following:
- Version 1.2 of PCI DSS answers questions, raises others
- PCI version 1.2 clarifications: How to get an early start on compliance audits
Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact email@example.com.
Diana Kelley: So requirement ten is another one that I think kind of blows up quite a bit when you're talking to companies about, "Wow, how do we actually accomplish this?" and the core of the track monitor is that you need to aggregate the log information about access and transactions; and you need to check those daily. Because there is a requirement that not just that they aggregate, but that they often get checked, which is a big surprise to a lot of companies . . .
Ed Moyle: Sure.
Diana Kelley: That really weren't bring all this data together or checking it every single day. Yeah, it is daily. That's definitely for real. Another thing that I hear of as a question is can you use a log aggregator, is there a special tool that's required in order to bring these together.
Ed Moyle: Yeah, is there a tool that's required? Well, no, but it actually even says this requirement text itself. That aggregation and correlation tools can be used to hit the daily log review requirement as part of that. So, 99% of the time using some kind of product is going to cheaper than having your staff actually reviews all of the logs on a daily basis.
Diana Kelley: And I have heard a number of entities say even SIM and SEM adoption did go up, specifically in relation to this requirement. You don't need to have a SIM or SEM tool, but a lot of communities find that's been the easiest or most expedient way to get to meeting this. One kind of "gotcha" that's probably worth a quick note is, watch what you're logging.
Ed Moyle: That's a good point.
Diana Kelley: Because we mentioned this a little earlier, but a lot of times companies are actually logging tracking data, they're logging CVV numbers.
Ed Moyle: Absolutely, they sure are.
Diana Kelley: So, you want to monitor that access, but you don't want to store anything that's not storable in the log file.