PCI Requirement 10.3.3 – Date and Time

by Randy Bartels / December 20, 2022

 When did an Event Occur? PCI Requirement 10.3 defines what information logs should contain. PCI Requirement 10.3.3, a part of PCI Requirement 10.3, relates to detailing date and time in log entries. To comply with PCI Requirement 10.3.3, every logged event must contain the time and date that the logged event occurred. By doing so, an organization can always identify when an event occurred. Through interviews and observation, auditors…

PCI Requirement 10.3.2 – Type of Event

by Randy Bartels / December 20, 2022

 What Type of Event Occurred? PCI Requirement 10.3 defines what information logs should contain. PCI Requirement 10.3.2, a part of PCI Requirement 10.3, relates to detailing which types of events go into logs. To comply with PCI Requirement 10.3.2, every log that’s generated must contain the type of event that happened during that log event. By doing so, an organization can always identify what type of event occurred and…

PCI Requirement 10.3.1 – User Identification

by Randy Bartels / December 20, 2022

 Who Did What? Where PCI Requirement 10.2 talked about what events should cause a log to be created, PCI Requirement 10.3 defines what information a log should contain. One sub-requirement of PCI Requirement 10.3 relates to user identification in logging. To comply with PCI Requirement 10.3.1, user identification must be included in all log entries. By doing so, an organization can always identify which person performed which action. This…

PCI Requirement 10.3 – Record at Least the Following Audit Trail Entries for All System Components for Each Event

by Randy Bartels / December 20, 2022

 Who, What, Where, When, and How Where PCI Requirement 10.2 talked about what events should cause a log to be created, PCI Requirement 10.3 defines what information a log should contain. It requires that organizations record at least the following audit trail entries for all system components for each event: User identification Type of event Date and time Success or failure indication Origination of event Identity or name of…

PCI Requirement 10.2.7 – Creation and Deletion of System-Level Objects

by Randy Bartels / December 20, 2022

 What is a System-Level Object? PCI Requirement 10.2.7 requires that audit trails can reconstruct the creation and deletion of system-level objects. The PCI SSC defines a system-level object as anything on a system component that is required for its operation, including but not limited to database tables, stored procedures, application executables and configuration files, system configuration files, static and shared libraries and DLLs, system executables, device drivers and device…