PCI Requirement 10.4 – Using Time-Synchronization Technology, Synchronize All Critical System Clocks and Times

by Randy Bartels / December 20, 2022

 Why do System Clocks and Times Need to be Synchronized? Remember how PCI Requirement 10.3 requires that date and time of events are captured in log entries? PCI Requirement 10.4 dives into time management and what is required of that date and time. It requires that organizations should use time-synchronization technology to synchronize all critical system clocks and times, and ensure that the following is implemented for acquiring, distributing,…

PCI Requirement 10.3.6 – Identity or Name of Affected Data, System Component, or Resource

by Randy Bartels / December 20, 2022

 Which Assets were Impacted? In order to identify which assets are impacted by malicious activities, PCI Requirement 10.3.6 requires that every log details the identity or name of affected data, system component, or resource. This will help organizations identify what malicious actions were taken and what the defense was. Through interviews and observation, auditors will try to verify that the identity or name of affected data, system component, or…

Man working on computer

PCI Requirement 10.3.5 – Origination of Event

by Randy Bartels / December 20, 2022

 Where did an Event Begin? When an event occurs, organizations need to know where it came from, so they can trace back to where it happened. PCI Requirement 10.3.5 requires that every log details the origination of event. By doing so, an organization can always identify where an event occurred. Through interviews and observation, auditors will try to verify that the origination of the event is included in log…

PCI Requirement 10.3.4 – Success or Failure Indication

by Randy Bartels / December 20, 2022

 Successful or Not? According to PCI Requirement 10.3.4, every log that’s generated must contain a success or failure indication to demonstrate whether the action that was taken was successful or not. Most applications are pretty good about logging the failed attempts; however, we find that from an assessment perspective, many organizations struggle with the successful events. Through interviews and observation, auditors will try to verify that a success or…

PCI Requirement 10.3.3 – Date and Time

by Randy Bartels / December 20, 2022

 When did an Event Occur? PCI Requirement 10.3 defines what information logs should contain. PCI Requirement 10.3.3, a part of PCI Requirement 10.3, relates to detailing date and time in log entries. To comply with PCI Requirement 10.3.3, every logged event must contain the time and date that the logged event occurred. By doing so, an organization can always identify when an event occurred. Through interviews and observation, auditors…