The requirements of the Payment Card Industry Data Security Standard (PCI DSS) can be complex. However, taking a deeper look into some of its parts, particularly event log management, can help clarify some terms.
Many companies believe that logging is specified in PCI DSS so that they can discover threats to their networks. While this may be an ancillary benefit, logging was put into PCI for the benefit of the card brands. In the early years of credit card security, card brands put significant effort into determining the attack vectors of credit card breaches. Unfortunately, when they sent teams into retailers to find the root cause of breaches, they discovered only meager evidence to use in tracing attacks. Therefore, the brands introduced logging requirements into their individual cardholder protection efforts so they could find out what happened when a breach occurred. Eventually these requirements found their way into the PCI DSS. Understanding this as the intent of the logging requirements can help companies understand how to implement event log management to best meet PCI DSS compliance requirements.
What must be logged to meet PCI DSS compliance requirements?
Just a few years ago, it was unusual to see an environment where logs were checked on a regular basis. Logs were stored on syslog servers until an event occurred that required attention, such as an attack or a network issue, but there were so many events that information overload made log reviews unproductive. In order to reduce the logging burden, PCI focused on who did what and when they did it.
Therefore, the primary component of PCI logging involves logging user activity in a cardholder environment, and making an audit trail of that activity available. Mandating user activity logging and audit log reviews allowed the PCI Security Standards Council (SSC) to provide critical information to forensic investigators and create a sense of situational awareness within the PCI community.
Additionally, PCI mandates that the data be available for auditing and forensic purposes, which requires that one year of data be accessible to auditors or investigators. Be sure to regularly test and review offline log data to ensure the data is available on demand for auditors or investigators.