Suppose you visit to a shopping mall, and select a few fashion accessories...
Suppose you visit an Online Shopping Portal, e.g., eBay, Amazon and select a few new cloths for your wardrobe....
QUESTION:
Which of the above situations, you will be more confident of using your CREDIT CARD?
First one, or Second One, or Both, or None
You know that your confidence to use your credit card depends upon --how careful the retailers are about PCI-DSS. This is the starting point and that is the end point. None of us want that our credit card info or financial credentials are breached...
When there was nothing like PCI-DSS in the early years of 2000-2004, then there was no single standard for card-processing. Visa, MasterCard, American Express, Discover, JCB etc all were having their own set of security standards. Imagine yourself being a retailer and taking those multiple methods of payment and having different compliance standards for each one! It was a nightmare for retailers or merchants, because there was a lack of cohesion among all those individual standards.
That's why, when PCI-DSS came it made things simpler for businesses.
Most people do not understand the logging requirements of PCI-DSS. Not knowing these can result in failing of your compliance audit for PCI-DSS.
Here’s what you need to know to help make PCI-DSS compliance easy as far as logging requirements are concerned.
-
PCI-DSS and Your Logging Requirements
If you wish to make your PCI-DSS compliance easier to achieve, then you should follow this small set of advices:
1.
Most important point to forever remember is the Requirement #10: To trace and monitor all access to network resources and cardholders data.
This is said to be the Golden Rule of Logging-related compliance. You must make this Requirement your motto. If you do that earnestly, then it would guide all other details. This requirement explicitly states that it is better to log EVERYTHING than not to log enough. After all, you have many log-analysis tools and SIEM where you can route all of your network logs. They will always manage your logs thoroughly. It does not matter to them, whether your network is on premises, or on the cloud, or a hybrid one. So the grand point is that-- absolutely all actions in your network should be recorded and attributable to a specific user or process.
2.
Next, part is that you take extensive care to protect access to your logs. Only administrators should be able to view or make any changes to your logs and audit trails. And even, everything that an admin does in your POS systems and other networks should also be logged and attributable to them. If any user who isn’t an administrator can view or modify your logs, then the integrity of your POS data will be at risk unnecessarily. You should never allow that kind of things to happen in first place.
3.
Next, each & every user in your networks must have a unique username. Do not let more than one human being have same user account or a specific username in your network. If any action a person conducts in your networks can’t be attributed to a specific individual, PCI DSS compliance audits will most likely fail.
4.
Make an habit of examining your logs on a regular basis. If you do a daily analysis, it is best. Otherwise, you cannot be sure of the integrity and reliability of what you are logging. You could fulfill this requirement by having a specifically trained person look at your logs manually. But it’d likely be more effective to utilize automated tools for log analysis and event monitoring. There is no second though to that your organization will be better able to prevent cyber incidents before they can do harm to your POS systems and your retail organization as a whole.
5.
TIME & timing is everything. Therefore, you must make sure that the time-clocks which guide your systems and applications are set accurately. The timestamps in your logs will be made based on the time set in your applications and devices. All timestamps of all types of logs, must be in a perfect sync. For that to achieve, you will have to make proper system configuration, while making adjustments for events like when daylight savings time starts and ends, automatically. Whether a customer makes a purchase, or an unauthorized user tries to access your sensitive POS data, you must know exactly WHEN it happened in order to have logs which meet PCI DSS compliance standards.
6.
Another mandatory requirement is that you retain your logs for at least a year. You can keep your logs for even longer if you’d like, but at least a year is an absolute requirement for PCI DSS compliance. And when data is generated from your automated log analysis tools, retain that for at least a year as well.
7.
Be mindful of which critical events must be logged. Here is a small list of such events:
-
Anytime any user accesses cardholder data
-
All root or administrative user actions
-
Any access to audit trails
-
Any invalid logical access attempts
-
Any usage and changes to authentication mechanisms
-
Any clearing, pausing, or cessation of logging
-
All of the creation and deletion of system-level objects, etc
That's why you and your team must deliberate a great deal on what are the other critical events which you must generate logs for. Time spent in defining these will be worth in gold!
8.
All of your logs must contain the following information, consistently:
-
Type of event
-
Date and time
-
Success or failure indication
-
Origination of event
-
The identity or name of the affected data, system component, or resource.
-
Remember:
Analyzing log data is critical to ensure that the original log data is securely collected and stored for any IT security incident or forensic investigation and has not been altered in any way.
If your organization is trying to be compatible with PCI-DSS and have been looking at PCI-DSS Requirement 10 and wondering what to do, then you are not alone. This requirement poses some of the biggest hurdles for organizations trying to comply with PCI. However, if you follow the above mentioned set of advices, you are more likely to meet this requirement.
-
Kindly write your comment on the posts or topics, because when you do that you help me greatly in designing new quality article/post on cybersecurity.
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
34,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM