Without formal processes in place to detect and alert when critical security controls have failed, failures could go undetected for extended periods of time and provide malicious individuals with opportunities to compromise your systems and obtain sensitive data from the cardholder data environment. This is why PCI Requirement 10.8 requires that service providers implement a process for the timely detection and reporting of failures of critical security control systems. This could be the failure of things like firewalls, IDS/IPS, FIM, anti-virus, physical access controls, logical access controls, audit logging mechanisms, and/or segmentation controls.
PCI Requirement 10.8 is an additional requirement for service providers only.
PCI Requirement 10.8 is another one of those requirements that is specific to service providers. If you’re a service provider and you’re providing services to other third-party organizations, you need to have a process in place that your log program and your security program is functioning as expected. PCI Requirement 10.8 calls out the requirements for monitoring programs, making sure that all of those assets are functioning, that you’re getting logs from all of those things, and that you’re reviewing them as appropriate.