PCI Requirement 10.4.2 – Time Data is Protected
Protecting the Integrity of Time Data
PCI Requirement 10.4.2 requires that through time-synchronization technology, time data is protected. Organizations must implement controls to protect time data from unauthorized access or modification. Why? Malicious attackers may seek to modify time data to hide what actions they’ve taken over a period of time.
The testing procedures for PCI Requirement 10.4.2 requires that assessors examine system configurations and time-synchronization settings to verify that access to time data is restricted to only personnel with a business need to access time data. An assessor will also need to verify that any changing to time settings on critical systems are logged, monitored, and reviewed.
Now that we have NTP established within our environment, we need to implement controls around protecting it from unauthorized modification. If I’m Hacker Joe and I’m in your environment, I may want to skew your NTP server to hide what I’ve done over a period of time. What’s specific to PCI Requirement 10.4.2 is that you need to have controls specific to protecting the integrity of the time within your environment. Your assessors are going to be looking that data. They’re also going to be looking for the controls that you’ve established and making sure that whatever you’ve documented is done securely.