PCI Requirement 10

PCI Requirement 10

Track and monitor all access to network resources and cardholder data

If data was compromised at your organization, how would you determine the cause? PCI Requirement 10 focuses on a critical aspect of data protection: logging and tracking. Implementing logging mechanisms at your organization gives you the ability to track user activities, which is crucial in preventing, detecting, and minimizing the consequences of a data breach. Without logging and tracking, it’s almost impossible to find the source of the data breach or compromise.

This set of videos will help you understand what’s required of your organization to comply with PCI Requirement 10. Click on a video below to get started.

PCI Requirement 10 – Track and Monitor all Access to Network Resources and Cardholder Data

PCI Requirement 10 – Track and Monitor all Access to Network Resources and Cardholder Data

If data was compromised at your organization, how would you determine the cause? PCI Requirement 10 focuses on a critical aspect of data protection: logging and tracking. Implementing logging mechanisms at your organization gives you the ability to track user activities, which is crucial in preventing, detecting, and minimizing the consequences of a data breach. Without logging and tracking, it’s even more difficult to find the source of the data breach. This is why PCI Requirement 10 requires, "“Track and monitor all access to network resources and cardholder data.”
May 1, 2018/by Jeff Wilder
PCI Requirement 10.1 – Implement Audit Trails to Link All Access to System Components to Each Individual User

PCI Requirement 10.1 – Implement Audit Trails to Link All Access to System Components to Each Individual User

PCI Requirement 10.1 is a pretty straightforward requirement. It states, “Implement audit trails to link all access to system components to each individual user.” This means that everything in scope should have logging enabled to enable organizations to track suspicious activity back to a specific user. To verify compliance with PCI Requirement 10.1, an auditor will observe and interview a system administrator to see that audit trails are enabled and active for system components and access to system components is linked to individual users.
May 1, 2018/by Jeff Wilder
PCI Requirement 10.2 – Implement Automated Audit Trails for all System Components to Reconstruct the Events

PCI Requirement 10.2 – Implement Automated Audit Trails for all System Components to Reconstruct the Events

Because PCI Requirement 10 requires that logging mechanisms be enabled, we often hear clients ask, “What do I log?” The PCI DSS gives us specific insight into which events need to be logged so that audit trails can provide a history to help identify and trace malicious activities. PCI Requirement 10.2 requires that organizations implement automated audit trails for all system components to reconstruct the following events:
May 1, 2018/by Jeff Wilder
PCI Requirement 10.2.1 – All Individual User Accesses to Cardholder Data

PCI Requirement 10.2.1 – All Individual User Accesses to Cardholder Data

PCI Requirement 10.2.1 requires that audit trails reconstruct all individual user accesses to cardholder data. What is the purpose of PCI Requirement 10.2.1? The PCI DSS guidance explains, “Malicious individuals could obtain knowledge of a user account with access to systems in the CDE, or they could create a new, unauthorized account in order to access cardholder data. A record of all individual accesses to cardholder data can identify which accounts may have been compromised or misused.”
May 1, 2018/by Jeff Wilder
PCI Requirement 10.2.2 – All Actions Taken by Any Individual with Root or Administrative Privileges

PCI Requirement 10.2.2 – All Actions Taken by Any Individual with Root or Administrative Privileges

Accounts that have root or administrative privileges have a greater chance of impacting the security and functionality of a system. This is why PCI Requirement 10.2.2 requires that organizations implement automated audit trails to reconstruct all actions taken by an individual with root or administrative privileges. Without logging mechanisms enabled, how could you trace issues resulting from misuse or root or administrative privileges?
May 1, 2018/by Jenna Kersten
PCI Requirement 10.2.3 – Access to All Audit Trails

PCI Requirement 10.2.3 – Access to All Audit Trails

PCI Requirement 10.2.3 requires that organizations implement automated audit trails to reconstruct access to audit trails. What’s the purpose of this? Guidance for PCI Requirement 10.2.3 states, “Malicious users often attempt to alter audit logs to hide their actions, and a record of access allows an organization to trace any inconsistencies or potential tampering of the logs to an individual account. Having access to logs identifying changes, additions, and deletions can help retrace steps made by unauthorized personnel.”
May 1, 2018/by Jeff Wilder
PCI Requirement 10.2.4 – Invalid Logical Access Attempts

PCI Requirement 10.2.4 – Invalid Logical Access Attempts

Invalid logical access attempts are often an indication of a malicious user attempting to access something they don’t have permission to. This is why PCI Requirement 10.2.4 requires that organizations implement automated audit trails to reconstruct invalid logical access attempts. Misspell your password? There should be a log of that. Someone tries to view a file that they don’t have permission to? There should be a log of that. User tries to execute permission they do not have? There should be a log of that. Anytime there’s invalid logical access attempts, there should be a log of that.
May 1, 2018/by Jeff Wilder
PCI Requirement 10.2.5 – Use of and Changes to Identification and Authentication Mechanisms and Accounts with Root or Administrative Privileges

PCI Requirement 10.2.5 – Use of and Changes to Identification and Authentication Mechanisms and Accounts with Root or Administrative Privileges

PCI Requirement 10.2.5 requires that organizations implement automated audit trails to reconstruct the use of and changes to identification and authentication mechanisms — including but not limited to creation of new accounts and elevation of privileges — and all changes, additions, or deletions to accounts with root or administrative privileges. The guidance on PCI Requirement 10.2.5 explains that without knowing which users were logged on at the time of an incident, it is impossible to identify which accounts that may have been used.
May 1, 2018/by Jeff Wilder
PCI Requirement 10.2.6 – Initialization, Stopping, or Pausing of the Audit Logs

PCI Requirement 10.2.6 – Initialization, Stopping, or Pausing of the Audit Logs

Stopping or pausing audit logs prior to performing malicious activities is a common practice for users hoping to avoid detection, and initialization of audit logs could indicate that the log function was disabled by a user. This is why PCI Requirement 10.2.6 requires that audit trails can reconstruct the initialization, stopping, or pausing of audit logs.
May 1, 2018/by Jeff Wilder
PCI Requirement 10.2.7 – Creation and Deletion of System-Level Objects

PCI Requirement 10.2.7 – Creation and Deletion of System-Level Objects

PCI Requirement 10.2.7 requires that audit trails can reconstruct the creation and deletion of system-level objects. The PCI SSC defines a system-level object as anything on a system component that is required for its operation, including but not limited to database tables, stored procedures, application executables and configuration files, system configuration files, static and shared libraries and DLLs, system executables, device drivers and device configuration files, and third-party components.
May 1, 2018/by Jeff Wilder
PCI Requirement 10.3 – Record at Least the Following Audit Trail Entries for All System Components for Each Event

PCI Requirement 10.3 – Record at Least the Following Audit Trail Entries for All System Components for Each Event

Where PCI Requirement 10.2 talked about what events should cause a log to be created, PCI Requirement 10.3 defines what information a log should contain. It requires that organizations record at least the following audit trail entries for all system components for each event:
May 1, 2018/by Jeff Wilder
PCI Requirement 10.3.1 – User Identification

PCI Requirement 10.3.1 – User Identification

Where PCI Requirement 10.2 talked about what events should cause a log to be created, PCI Requirement 10.3 defines what information a log should contain. One sub-requirement of PCI Requirement 10.3 relates to user identification in logging. To comply with PCI Requirement 10.3.1, user identification must be included in all log entries. By doing so, an organization can always identify which person performed which action. This component will help quickly identify and give details related to who contributed to a compromise.
May 1, 2018/by Jeff Wilder
PCI Requirement 10.3.2 – Type of Event

PCI Requirement 10.3.2 – Type of Event

PCI Requirement 10.3 defines what information logs should contain. PCI Requirement 10.3.2, a part of PCI Requirement 10.3, relates to detailing which types of events go into logs. To comply with PCI Requirement 10.3.2, every log that’s generated must contain the type of event that happened during that log event. By doing so, an organization can always identify what type of event occurred and possibly how it occurred.
May 1, 2018/by Jeff Wilder
PCI Requirement 10.3.3 – Date and Time

PCI Requirement 10.3.3 – Date and Time

PCI Requirement 10.3 defines what information logs should contain. PCI Requirement 10.3.3, a part of PCI Requirement 10.3, relates to detailing date and time in log entries. To comply with PCI Requirement 10.3.3, every logged event must contain the time and date that the logged event occurred. By doing so, an organization can always identify when an event occurred.
May 1, 2018/by Jeff Wilder
PCI Requirement 10.3.4 – Success or Failure Indication

PCI Requirement 10.3.4 – Success or Failure Indication

According to PCI Requirement 10.3.4, every log that’s generated must contain a success or failure indication to demonstrate whether the action that was taken was successful or not. Most applications are pretty good about logging the failed attempts; however, we find that from an assessment perspective, many organizations struggle with the successful events.
May 1, 2018/by Jeff Wilder
PCI Requirement 10.3.5 – Origination of Event

PCI Requirement 10.3.5 – Origination of Event

When an event occurs, organizations need to know where it came from, so they can trace back to where it happened. PCI Requirement 10.3.5 requires that every log details the origination of event. By doing so, an organization can always identify where an event occurred.
May 1, 2018/by Jeff Wilder
PCI Requirement 10.3.6 – Identity or Name of Affected Data, System Component, or Resource

PCI Requirement 10.3.6 – Identity or Name of Affected Data, System Component, or Resource

In order to identify which assets are impacted by malicious activities, PCI Requirement 10.3.6 requires that every log details the identity or name of affected data, system component, or resource. This will help organizations identify what malicious actions were taken and what the defense was.
May 1, 2018/by Jeff Wilder
PCI Requirement 10.4 – Using Time-Synchronization Technology, Synchronize All Critical System Clocks and Times

PCI Requirement 10.4 – Using Time-Synchronization Technology, Synchronize All Critical System Clocks and Times

Remember how PCI Requirement 10.3 requires that date and time of events are captured in log entries? PCI Requirement 10.4 dives into time management and what is required of that date and time. It requires that organizations should use time-synchronization technology to synchronize all critical system clocks and times and ensure that the following is implemented for acquiring, distributing, and storing time:
May 1, 2018/by Jeff Wilder
PCI Requirement 10.4.1 – Critical Systems Have the Correct and Consistent Time

PCI Requirement 10.4.1 – Critical Systems Have the Correct and Consistent Time

PCI Requirement 10.4.1 requires that critical systems have the correct and consistent time so that chronological events can be recreated. Without proper and consistent synchronization, it’s almost impossible to compare logs to systems and determine an exact sequence of events. Compliance with PCI Requirement 10.4.1 is crucial during incident response.
May 1, 2018/by Jeff Wilder
PCI Requirement 10.4.2 – Time Data is Protected

PCI Requirement 10.4.2 – Time Data is Protected

PCI Requirement 10.4.2 requires that through time-synchronization technology, time data is protected. Organizations must implement controls to protect time data from unauthorized access or modification. Why? Malicious attackers may seek to modify time data to hide what actions they’ve taken over a period of time.
May 1, 2018/by Jeff Wilder
PCI Requirement 10.4.3 – Time Settings Are Received from Industry-Accepted Time Sources

PCI Requirement 10.4.3 – Time Settings Are Received from Industry-Accepted Time Sources

To ensure that critical system clocks and time are consistent and correct, PCI Requirement 10.4.3 requires that time settings are received from industry-accepted time sources. This could be from something like the U.S. Navy, NASA, Google, or other organizations who use GPS for time synchronizations.
May 1, 2018/by Jeff Wilder
PCI Requirement 10.5 – Secure Audit Trails so They Cannot Be Altered

PCI Requirement 10.5 – Secure Audit Trails so They Cannot Be Altered

Now that you’ve complied with other PCI Requirement 10 standards and have established audit trails, that information needs to be secured. Audit trails contain all the correct information about events and incidents, so malicious individuals will often seek to alter audit trails to hide their actions. PCI Requirement 10.5 requires that you secure audit trails so they cannot be altered. Your organization must protect the completeness, accuracy, and integrity of audit trails.
May 1, 2018/by Jeff Wilder
PCI Requirement 10.5.1 – Limit Viewing of Audit Trails to Those with a Job-Related Need

PCI Requirement 10.5.1 – Limit Viewing of Audit Trails to Those with a Job-Related Need

Protection of audit trails requires strong access controls; once again, the policy of least privileges comes into play. Audit trails contain sensitive information that only some members of an organization should have access to. This is why PCI Requirement 10.5.1 requires organizations to limit viewing of audit trails to those with a job-related need.
May 1, 2018/by Jeff Wilder
PCI Requirement 10.5.2 – Protect Audit Trail Files from Unauthorized Modifications

PCI Requirement 10.5.2 – Protect Audit Trail Files from Unauthorized Modifications

PCI Requirement 10.5.2 requires organizations to protect audit trail files from unauthorized modifications. What would an unauthorized modification look like? Audit trails contain all the correct information about events and incidents in critical systems, so malicious individuals will often seek to modify audit trails to hide their actions.
May 1, 2018/by Jeff Wilder
PCI Requirement 10.5.3 – Promptly Back Up Audit Trail Files to a Centralized Log Server or Media that is Difficult to Alter

PCI Requirement 10.5.3 – Promptly Back Up Audit Trail Files to a Centralized Log Server or Media that is Difficult to Alter

PCI Requirement 10.5.3 asks organizations to promptly back up audit trail files to a centralized log server or media that is difficult to alter. The purpose of PCI Requirement 10.5.3 is to support PCI Requirement 10.5 and prevent unauthorized modifications to audit trail files. The PCI DSS guidance also explains, “Promptly backing up the logs to a centralized log server or media that is difficult to alter keeps the logs protected even if the system generating the logs becomes compromised.”
May 1, 2018/by Jeff Wilder
PCI Requirement 10.5.4 – Write Logs for External-Facing Technologies onto a Secure, Centralized, Internal Log or Media Device

PCI Requirement 10.5.4 – Write Logs for External-Facing Technologies onto a Secure, Centralized, Internal Log or Media Device

Another element to PCI Requirement 10 is PCI Requirement 10.5.4, which requires organizations to write logs for external-facing technologies onto a secure, centralized, internal log server or media device. The PCI DSS explains the purpose of PCI Requirement 10.5.4 when it states, “By writing logs from external-facing technologies such as wireless, firewalls, DNS, and mail servers, the risk of those logs being lost or altered is lowered, as they are more secure within the internal network.”
May 1, 2018/by Jenna Kersten
PCI Requirement 10.5.5 – Use File-Integrity Monitoring or Change-Detection Software on Logs to Ensure that Existing Log Data Cannot be Changed Without Generating Alerts

PCI Requirement 10.5.5 – Use File-Integrity Monitoring or Change-Detection Software on Logs to Ensure that Existing Log Data Cannot be Changed Without Generating Alerts

PCI Requirement 10.5.5 requires organizations to use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert). The PCI DSS guidance explains that file-integrity monitoring or change-detection systems check for changes to critical files and provide notification when such changes are noted. Organizations usually monitor files that don’t regularly change, but when they do change, indicate a possible compromise.
May 1, 2018/by Jeff Wilder
PCI Requirement 10.6 – Review Logs and Security Events for All System Components to Identify Anomalies or Suspicious Activity

PCI Requirement 10.6 – Review Logs and Security Events for All System Components to Identify Anomalies or Suspicious Activity

Many breaches occur over a period of time before being detected. That’s why it’s not enough for you to just create logs, you also have to create a process for reviewing them. How could you ever spot a pattern of suspicious activity if you don’t review your logs?
May 1, 2018/by Jeff Wilder
PCI Requirement 10.6.1 – Review the Following Daily: All Security Events, Logs of All System Components, Logs of All Critical System Components, and Logs of All Servers and System Components that Perform Security Functions

PCI Requirement 10.6.1 – Review the Following Daily: All Security Events, Logs of All System Components, Logs of All Critical System Components, and Logs of All Servers and System Components that Perform Security Functions

By reviewing logs daily, organizations can maximize their security efforts and minimize the exposure to potential breaches. PCI Requirement 10.6.1 requires that organizations review the following at least daily:
May 1, 2018/by Jeff Wilder
PCI Requirement 10.6.2 – Review Logs of All Other System Components Periodically Based on the Organization’s Policies and Risk Management Strategy

PCI Requirement 10.6.2 – Review Logs of All Other System Components Periodically Based on the Organization’s Policies and Risk Management Strategy

PCI Requirement 10.6.1 requires daily review of logs of system components that store, process, or transmit cardholder data, logs of all critical system components, and logs of all servers and system components that perform security functions. But what about all other system components? PCI Requirement 10.6.2 addresses this and requires that organizations review logs of all other system components periodically based on the organization’s policies and risk management strategy. PCI Requirement 10.6.2 allows you to prioritize your log review program and apply log review in an appropriate way.
May 1, 2018/by Jeff Wilder
PCI Requirement 10.6.3 – Follow Up Exceptions and Anomalies Identified During the Review Process

PCI Requirement 10.6.3 – Follow Up Exceptions and Anomalies Identified During the Review Process

Once an organization has completed log review, they must follow up exceptions and anomalies identified during the review process. The purpose of PCI Requirement 10.6.3 is a little obvious, right? If exceptions and anomalies are not investigated, then what’s the point of the log review process? The follow up process helps make organizations aware of unauthorized activities occurring in their network.
May 1, 2018/by Jeff Wilder
PCI Requirement 10.7 – Retain Audit Trail History for at Least One Year, with a Minimum of Three Months Immediately Available

PCI Requirement 10.7 – Retain Audit Trail History for at Least One Year, with a Minimum of Three Months Immediately Available

Now that you’ve implemented logging, what do you to them? PCI Requirement 10.7 asks that you retain audit trail history for at least one year, with a minimum of three months immediately available for analysis. A year is the recommended length of time because it may take a few months to notice a compromise. A year’s worth of audit trail history can be very helpful during analysis.
May 1, 2018/by Jeff Wilder
PCI Requirement 10.8 – Additional Requirement for Service Providers Only: Implement a Process for the Timely Detection and Reporting of Failures of Critical Control Systems

PCI Requirement 10.8 – Additional Requirement for Service Providers Only: Implement a Process for the Timely Detection and Reporting of Failures of Critical Control Systems

Without formal processes in place to detect and alert when critical security controls have failed, failures could go undetected for extended periods of time and provide malicious individuals with opportunities to compromise your systems and obtain sensitive data from the cardholder data environment.
May 1, 2018/by Jeff Wilder
PCI Requirement 10.8.1 – Additional Requirement for Service Providers Only: Respond to Failures of Any Critical Security Controls in a Timely Manner

PCI Requirement 10.8.1 – Additional Requirement for Service Providers Only: Respond to Failures of Any Critical Security Controls in a Timely Manner

So, you’ve been alerted of failures of critical security controls…what do you do next? PCI Requirement 10.8.1 requires that you respond to failures of any critical security controls in a timely manner. If not, attacks can take the opportunity to infect your systems.
May 1, 2018/by Jeff Wilder
PCI Requirement 10.9 – Ensure Security Policies and Procedures for Monitoring All Access to Network Resources and Cardholder Data are Documented, in Use, and Known to All Affected Parties

PCI Requirement 10.9 – Ensure Security Policies and Procedures for Monitoring All Access to Network Resources and Cardholder Data are Documented, in Use, and Known to All Affected Parties

PCI Requirement 10 states, “Track and monitor all access to network resources and cardholder data.” Complying with PCI Requirement 10 is critical to ensuring that you know who had what access to cardholder data.
May 1, 2018/by Jeff Wilder