PCI Requirement 10.4.3 – Time Settings Are Received from Industry-Accepted Time Sources

by Randy Bartels / December 20, 2022

 Industry-Accepted Time Sources To ensure that critical system clocks and time are consistent and correct, PCI Requirement 10.4.3 requires that time settings are received from industry-accepted time sources. This could be from something like the U.S. Navy, NASA, Google, or other organizations who use GPS for time synchronizations. The testing procedures for PCI Requirement 10.4.3 requires assessors to examine systems configurations to verify that the time servers accept time…

PCI Requirement 10.4.2 – Time Data is Protected

by Randy Bartels / December 20, 2022

 Protecting the Integrity of Time Data PCI Requirement 10.4.2 requires that through time-synchronization technology, time data is protected. Organizations must implement controls to protect time data from unauthorized access or modification. Why? Malicious attackers may seek to modify time data to hide what actions they’ve taken over a period of time. The testing procedures for PCI Requirement 10.4.2 requires that assessors examine system configurations and time-synchronization settings to verify…

PCI Requirement 10.4.1 – Critical Systems Have the Correct and Consistent Time

by Randy Bartels / December 20, 2022

 Chronological Events PCI Requirement 10.4.1 requires that critical systems have the correct and consistent time so that chronological events can be recreated. Without proper and consistent synchronization, it’s almost impossible to compare logs to systems and determine an exact sequence of events. Compliance with PCI Requirement 10.4.1 is crucial during incident response. There are several testing procedures to verify compliance with PCI Requirement 10.4.1. The PCI DSS states that…

PCI Requirement 10.4 – Using Time-Synchronization Technology, Synchronize All Critical System Clocks and Times

by Randy Bartels / December 20, 2022

 Why do System Clocks and Times Need to be Synchronized? Remember how PCI Requirement 10.3 requires that date and time of events are captured in log entries? PCI Requirement 10.4 dives into time management and what is required of that date and time. It requires that organizations should use time-synchronization technology to synchronize all critical system clocks and times, and ensure that the following is implemented for acquiring, distributing,…

PCI Requirement 10.3.6 – Identity or Name of Affected Data, System Component, or Resource

by Randy Bartels / December 20, 2022

 Which Assets were Impacted? In order to identify which assets are impacted by malicious activities, PCI Requirement 10.3.6 requires that every log details the identity or name of affected data, system component, or resource. This will help organizations identify what malicious actions were taken and what the defense was. Through interviews and observation, auditors will try to verify that the identity or name of affected data, system component, or…