What is PCI Requirement 10.2.5?
PCI Requirement 10.2.5 requires that organizations implement automated audit trails to reconstruct the use of and changes to identification and authentication mechanisms — including but not limited to creation of new accounts and elevation of privileges — and all changes, additions, or deletions to accounts with root or administrative privileges. The guidance on PCI Requirement 10.2.5 explains that without knowing which users were logged on at the time of an incident, it is impossible to identify which accounts that may have been used.
To verify compliance with PCI Requirement 10.2.5, an assessor will observe the use of and changes to identification and authentication mechanisms and logs of accounts with root or administrative privileges.
Anytime anybody uses an authentication mechanism or tool, we need to see a log of that. Whether that be an application, VPN, or logging into a local work station, we need to see a log of that. Anytime anybody attempts to authenticate, whether it’s successful or not, we need to see a log of that event.