PCI DSS logging requirements explained

This blog was written by an independent guest blogger.

As a consumer, I feel more confident about using my credit card online and in brick-and-mortar stores when I know retailers are being careful about PCI DSS compliance. Breached financial credentials can wreak havoc not only on the lives of consumers, but also on the well-being of merchant businesses. I think the PCI DSS is an excellent example of how security standards can be improved when organizations cooperate and collaborate. Prior to the first version of PCI DSS in December 2004, Visa, MasterCard, American Express, Discover, and JCB each had their own separate card processing security standards. Imagine being a retailer taking those multiple methods of payment and having different compliance standards for each one!

So the invention of PCI DSS made payment security simpler for business. Still, there’s a lot retailers and restaurants should know about PCI DSS’s logging requirements. Fortunately, you’ve found a quick guide which should make the logging requirements easier to understand. While you’re here, I also recommend finding answers to any questions you may have on the PCI Security Standards website. So, let’s get started! Here’s what you need to know to help make PCI DSS compliance easy as far as logging requirements are concerned.

8 tips for PCI DSS requirements

1. Always keep PCI DSS Requirement 10 in mind-- track and monitor all access to network resources and cardholder data! This is the Golden Rule of PCI DSS logging compliance. Let this be your motto for all of the other details to be guided by. If you ever wonder whether or not a network vector or any component of your point of sale (POS) system should be logged, it’s better to log everything than not log enough. There are log analysis tools and SIEM systems you can route all of your network logs through to help make thorough logging manageable-- whether your networks are on premises, on the cloud, or a hybrid. Absolutely all actions in your network should be recorded and attributable to a specific user or process.
    
2. Protect access to your logs. Only administrators should be able to view or make any changes to your logs and audit trails. And everything an administrator does in your POS systems and other networks should also be logged and attributable to them. If any user who isn’t an administrator can view or modify your logs, the integrity of your POS data will be at risk unnecessarily.
    
3. Each user in your networks must have a unique username. Do not let more than one human being have a user account or specific username in your network. If any action a person conducts in your networks can’t be attributed to a specific individual, PCI DSS compliance audits will likely fail.
    
4. Examine your logs on a regular basis. Otherwise, you cannot be sure of the integrity and reliability of your logging. You could fulfill this requirement by having a specifically trained person look at your logs manually. But it’d likely be more effective to utilize automated tools for log analysis and event monitoring. Plus, your organization will be better able to prevent cyber incidents before they can do harm to your POS systems and your retail organization as a whole.
    
5. Timing is everything. Therefore, you must make sure that the time clocks which guide your systems and applications are set accurately. The timestamps in your logs will be made based on the time set in your applications and devices. Proper system configuration can make adjustments for events like when daylight savings time starts and ends, automatically. Whether a customer makes a purchase, or an unauthorized user tries to access your sensitive POS data, you must know exactly when it happened in order to have logs which meet PCI DSS compliance standards.
    
6. Retain your logs for at least a year. You can keep your logs for even longer if you’d like, but at least a year is an absolute requirement for PCI DSS compliance. And when data is generated from your automated log analysis tools, retain that for at least a year as well.
    
7. Be mindful of which critical events must be logged. Those events are anytime any user accesses cardholder data, all root or administrative user actions, any access to audit trails, any invalid logical access attempts, any usage and changes to authentication mechanisms, any clearing, pausing, or cessation of logging, and all of the creation and deletion of system-level objects.
    
8. All of your logs must contain the following information: type of event, date and time, success or failure indication, origination of event, and the identity or name of the affected data, system component, or resource.

Keep these eight tips in mind and PCI DSS compliance will be much easier to achieve. Not only will your organization be more likely to pass compliance audits, but your sensitive financial data will also be much easier to secure. You can do this!