Identifying Which Accounts Have Been Compromised
PCI Requirement 10.2.1 requires that audit trails reconstruct all individual user accesses to cardholder data. What is the purpose of PCI Requirement 10.2.1? The PCI DSS guidance explains, “Malicious individuals could obtain knowledge of a user account with access to systems in the CDE, or they could create a new, unauthorized account in order to access cardholder data. A record of all individual accesses to cardholder data can identify which accounts may have been compromised or misused.”
Anytime someone accesses cardholder data, a log should be generated. An assessor will work with your database and network administrators to verify that all individual accesses to cardholder data is logged.
Anytime anybody accesses cardholder data, a log should be generated. The assessor is going to have worked with your database administrators and your network administrators, and in having them queried, the data that you might have on site. As part of this, the assessor is likely to remember those times, dates, and individuals that perform those actions. They might also ask you to recall those logs to demonstrate that your applications are logging or your servers are logging the appropriate necessary information to meet PCI Requirement 10.2.1.