Implementing PCI Requirement 10
PCI Requirement 10 states, “Track and monitor all access to network resources and cardholder data.” Complying with PCI Requirement 10 is critical to ensuring that you know who had what access to cardholder data. For this requirement, we’ve discussed aspects of tracking and monitoring access to network resources and cardholder data, such as how to implement audit trails, what should be documented in logs, which failures you should be notified of, how long to retain audit trail history for, and more. But, as we’ve learned, it’s not enough just to learn and talk about these things. All policies, procedures, and standards must be implemented in order to comply with PCI Requirement 10.9.
PCI Requirement 10.9 states, “Ensure that security policies and operational procedures monitoring all access to network resources and cardholder data are documented, in use, and known to all affected parties.” This is not only saying that your organization needs to maintain documented security policies and operational procedures; the policies and operational procedures need to be known and in use by all relevant parties. It is not sufficient that you generate documentation just for the sake of the audit. It is a requirement of this framework that the affected parties use the policies and procedures. Your assessor should be reading these documents, be familiarizing themselves with the policies and procedures, and be interviewing staff to make sure that anybody who is subject to the policies and operational procedures understands what they are. If PCI Requirement 10.9 is not met, your cardholder data could be left vulnerable.
PCI Requirement 10.9 is the capstone to PCI Requirement 10. Once again, policies, procedures, and standards – the assessor is going to be asking for all of that documentation. They will be reviewing it, making sure that it is in place, that you’re actually using it, that you’re managing the documentation, and that it’s known to all effected parties.