Payment Card Industry Data Security Standard (PCI-DSS) Challenges and our Log Management Solutions

Quick Introduction: What is PCI-DSS compliance?

It is a set of regulations for industries dealing with financial, sensitive data. The increased use of credit cards has resulted in the rise of credit card fraud and forgery. The purpose of PCI-DSS is to retain customers' trust on card payments by securing the credit card payment process and safeguard their card credentials. The PCI-DSS standard was established by Visa and MasterCard.

Who are expected to follow the PCI-DSS compliance?

Entitities that store or process credit card information are liable to follow the PCI-DSS compliance such as: the retailers, bankers and other financial service providers.

How to be PCI-DSS compliant?

To achieve the basic level of compliance, ensure that the network is secure and the systems, devices and applications are patched periodically. Maintain and complete audit records of events in system and network. In case, your business requires higher level of compliance and stores credit card credentials, then taking help from the third party audit firms could ease your efforts in certifying yourself compliant.

What if you choose to stay non-compliant? What would be the repercussions?

You are legally bound to heavy penalties to stay non-compliant. This is because your network security proves to be compromised and data leaked out of organization. Also, you are more prone to hacker exploiting your secured data, without your knowledge. You are subject to loss of business and most importantly, customer reputation.

What is expected out of product dealers and payment processors for staying PCI-DSS compliant?

To comply with the PCI-DSS standard, opt for a pre-compliance check. This is to confirm the current standpoint and the expected requirements for proving compliant. Also, to plan out a log management process prior to submitting your records for auditing purpose. The following actions are a must:

• Create and manage a tightly secured environment for the cardholder data
• Keep a check continuously on the running applications and specifically, the systems within the network that contain confidential information
• Incorporate powerful access control check
• Monitor and evaluate the network, periodically
• Monitor and evaluate the security systems and the running processes, periodically
• Manage a secured information standard within the organizational limits

What are the network elements that require a continuous check to be PCI-DSS compliant? 

The PCI-DSS compliance demands a check on the servers, carrying the necessary cardholder information, and applications that are linked to the cardholder data. The network elements, on a whole, would include the firewalls, switches and routers, the wireless access points, all network and security devices. The term 'server' would comprise web server, database that is used for storing the confidential, sensitive information, and the terminal access points.  

What is the connection between log management and PCI-DSS? Why organizations are in need to deploy log management as an integral component of their security policy to comply with the industry set standards?

The primary reason is that log management is a practical approach towards acquiring PCI-DSS compliance. PCI DSS imparts great importance to collecting, auditing and managing event log data. The requirement is not just limited to that but extends the need for businesses to trace and monitor any user access to crucial security-related information on the network. These tasks can be easily achieved through an automatic log management tool. 

PCI-DSS Audit Checklist

Auditing firms advice you on the processes that need to be incorporated; in order to get through the audits successfully:

• Deploying a log management solution to scan and audit the events and activities within the systems. A robust log management tool with pre-built compliance reports would delete the manual effort in categorizing the events that fall under the PCI DSS bracket. The tool alerts on risk occurrence by offering real-time identification of security issues and dynamically reporting on the policy amendments and controls that form the PCI syllabus.
• Lessening the audit interval and strengthening security by providing updated and analyzed log content for audit purposes
• Quickening the report generation process and providing to-the-point reports of volumes of log data
• Identifying the existing faults and security loop-holes, comparing these with PCI-DSS requirement and accordingly filling in the security gaps

EventLog Analyzer Auditing to Suffice Requirements Set Under Sections 10 and 11 of the PCI-DSS Compliance

Overall, log management requirements, as prescribed in the sections 10 and 11 of the PCI-DSS compliance are: event log collection, continuous log monitoring, and analysis. 

Out of this, PCI-DSS section 10 holds importance to the collection and monitoring functionality of log management: 

• Identifying user-specific access and recording it in the log
• Including all system elements under check and incorporating dynamic audit trails to track every possible activity: login, logoff, file read/write access, amendment, deletion, successful and unsucessful logons by every user on every confidential data available within the network
• Ensuring security of log data so that it cannot be hampered

Section 11 emphasizes on the organizations to implement file intergrity (SIEM) through:

• Notifying system administrator personnel about any change or suspicious activity on crucial, confidential files or apparent system attacks
• Conducting important file comparisons on a weekly basis

EventLog Analyzer generates various PCI DSS compliance reports to fulfill the above requirements, relevant to event log management. To know more about the requirement-wise reports for PCI-DSS, offered by EventLog Analyzer, click here.