PCI Requirement 10 Archives

Successful or Not?

According to PCI Requirement 10.3.4, every log that’s generated must contain a success or failure indication to demonstrate whether the action that was taken was successful or not. Most applications are pretty good about logging the failed attempts; however, we find that from an assessment perspective, many organizations struggle with the successful events.

Through interviews and observation, auditors will try to verify that a success or failure indication is included in log entries.

Each log that’s generated must contain whether the action that was taken was successful or not. Most applications, or most operating systems by default, are pretty good about logging the failed attempts. However, we find that from an assessment perspective, most organizations struggle with the successful events. Whether the event was successful or not, it needs to be logged as part of the event that took place.

When did an Event Occur?

PCI Requirement 10.3 defines what information logs should contain. PCI Requirement 10.3.3, a part of PCI Requirement 10.3, relates to detailing date and time in log entries. To comply with PCI Requirement 10.3.3, every logged event must contain the time and date that the logged event occurred. By doing so, an organization can always identify when an event occurred.

Through interviews and observation, auditors will try to verify that a date and time stamp is included in log entries.

Each logged event must contain the time and date that the logged event occurred.

What Type of Event Occurred?

PCI Requirement 10.3 defines what information logs should contain. PCI Requirement 10.3.2, a part of PCI Requirement 10.3, relates to detailing which types of events go into logs. To comply with PCI Requirement 10.3.2, every log that’s generated must contain the type of event that happened during that log event. By doing so, an organization can always identify what type of event occurred and possibly how it occurred.

Through interviews and observation, auditors will try to verify that the type of event is included in log entries.

Every log that’s generated must contain the type of event that happened during that log event.

Who Did What?

Where PCI Requirement 10.2 talked about what events should cause a log to be created, PCI Requirement 10.3 defines what information a log should contain. One sub-requirement of PCI Requirement 10.3 relates to user identification in logging. To comply with PCI Requirement 10.3.1, user identification must be included in all log entries. By doing so, an organization can always identify which person performed which action. This component will help quickly identify and give details related to who contributed to a compromise.

Through interviews and observation, auditors will try to verify that user identification is included in all log entries.

Every log that’s generated must include the identification of the person or the asset that performed the action.

Who, What, Where, When, and How

Where PCI Requirement 10.2 talked about what events should cause a log to be created, PCI Requirement 10.3 defines what information a log should contain. It requires that organizations record at least the following audit trail entries for all system components for each event:

User identification
Type of event
Date and time
Success or failure indication
Origination of event
Identity or name of affected data, system component, or resource

The components required by PCI Requirement 10.3 will help quickly identify and give details related to who, what, where, when, and how compromises occur.

Where PCI Requirement 10.2 talked about what events that would cause a log to be created, PCI Requirement 10.3 defines when a log is generated or created, it must contain the following information.