PCI Requirement 10.1 – Implement Audit Trails to Link All Access to System Components to Each Individual User

by Randy Bartels / December 19, 2022

 Audit Trails PCI Requirement 10.1 is a pretty straightforward requirement. It states, “Implement audit trails to link all access to system components to each individual user.” This means that everything in scope should have logging enabled to allow organizations to track suspicious activity back to a specific user. To verify compliance with PCI Requirement 10.1, an auditor will observe and interview a system administrator to see that audit trails…

PCI Requirement 10 – Track and Monitor all Access to Network Resources and Cardholder Data

by Randy Bartels / May 31, 2023

 Importance of Logging and Tracking If data was compromised at your organization, how would you determine the cause? PCI Requirement 10 focuses on a critical aspect of data protection: logging and tracking. Implementing logging mechanisms at your organization gives you the ability to track user activities, which is crucial in preventing, detecting, and minimizing the consequences of a data breach. Without logging and tracking, it’s even more difficult to…

PCI Requirement 9.10 – Ensure Policies and Procedures for Restricting Physical Access to Cardholder Data are Documented, In Use, and Known to All Affected Parties

by Randy Bartels / December 20, 2022

 Implementing PCI Requirement 9.10 PCI Requirement 9 states, “Restrict physical access to cardholder data.” Complying with PCI Requirement 9 is critical to ensuring that cardholder data is physically accessed only by authorized personnel. For this requirement, we’ve discussed aspects of physical security such as facility entry controls, visitor identification and access controls, how to physically secure media, controlling the distribution of media, how to destroy media, and more. But,…

PCI Requirement 9.9.3 – Provide Training for Personnel to Be Aware of Attempted Tampering or Replacement of Devices

by Randy Bartels / December 20, 2022

 Training on Tampering Your organization must protect the integrity of devices that physically interact with cardholder data. PCI Requirement 9.9.3 requires that your organization provide training for personnel to be aware of attempted tampering or replacement of devices. This training needs to include: Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices. Criminals often…

PCI Requirement 9.9.2 – Periodically Inspect Device Surfaces to Detect Tampering or Substitution

by Randy Bartels / December 20, 2022

 Inspect for Tampering or Substitution PCI Requirement 9.9.2 is focused specifically on the physical inspection of devices that physically interact with payment card information. It states, “Periodically inspect device surfaces to detect tampering or substitution.” Complying with PCI Requirement 9.9.2 minimizes the potential use of fraudulent card-reading devices because periodic inspections will help you more quickly detect tampering and substitution. Examples of Tampering Tampering could be detected in many…