PCI Requirement 10.5 – Secure Audit Trails so They Cannot Be Altered

by Randy Bartels / December 20, 2022

 Protecting the Integrity of Audit Trails Now that you’ve complied with other PCI Requirement 10 standards and have established audit trails, that information needs to be secured. Audit trails contain all the correct information about events and incidents, so malicious individuals will often seek to alter audit trails to hide their actions. PCI Requirement 10.5 requires that you secure audit trails so they cannot be altered. Your organization must…

PCI Requirement 10.4.3 – Time Settings Are Received from Industry-Accepted Time Sources

by Randy Bartels / December 20, 2022

 Industry-Accepted Time Sources To ensure that critical system clocks and time are consistent and correct, PCI Requirement 10.4.3 requires that time settings are received from industry-accepted time sources. This could be from something like the U.S. Navy, NASA, Google, or other organizations who use GPS for time synchronizations. The testing procedures for PCI Requirement 10.4.3 requires assessors to examine systems configurations to verify that the time servers accept time…

PCI Requirement 10.4.2 – Time Data is Protected

by Randy Bartels / December 20, 2022

 Protecting the Integrity of Time Data PCI Requirement 10.4.2 requires that through time-synchronization technology, time data is protected. Organizations must implement controls to protect time data from unauthorized access or modification. Why? Malicious attackers may seek to modify time data to hide what actions they’ve taken over a period of time. The testing procedures for PCI Requirement 10.4.2 requires that assessors examine system configurations and time-synchronization settings to verify…

PCI Requirement 10.4.1 – Critical Systems Have the Correct and Consistent Time

by Randy Bartels / December 20, 2022

 Chronological Events PCI Requirement 10.4.1 requires that critical systems have the correct and consistent time so that chronological events can be recreated. Without proper and consistent synchronization, it’s almost impossible to compare logs to systems and determine an exact sequence of events. Compliance with PCI Requirement 10.4.1 is crucial during incident response. There are several testing procedures to verify compliance with PCI Requirement 10.4.1. The PCI DSS states that…

PCI Requirement 10.4 – Using Time-Synchronization Technology, Synchronize All Critical System Clocks and Times

by Randy Bartels / December 20, 2022

 Why do System Clocks and Times Need to be Synchronized? Remember how PCI Requirement 10.3 requires that date and time of events are captured in log entries? PCI Requirement 10.4 dives into time management and what is required of that date and time. It requires that organizations should use time-synchronization technology to synchronize all critical system clocks and times, and ensure that the following is implemented for acquiring, distributing,…