PCI/DSS Log Requirements

Written By Celal Erdik

PCI/DSS (Payment Control Industries/Data Security Standard); In order to ensure data security in card payment systems, internationally accepted payment brands American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. It was developed by the PCI Committee formed by international institutions. PCI DSS consists of various controls based on information transmission, information processing and information storage in information systems to ensure information security in institutions and organizations involved in card payment systems. Some of these controls refer to log analysis and management.

The PCI/DSS standard ultimately aims at the following topics;

  • In general, the aim is to protect the cardholder's data, therefore, it is requested to first establish a secure network.

  • Requests that existing systems (Firewall, IPS, WAF, etc.) within the established network not be used with default settings and user accounts established by the vendor.

  • Requests that stored customer data be protected by keeping it encrypted and transmitted to other systems in an encrypted manner.

  • It is desirable to ensure the continuity of the established secure structure (use of antivirus, necessary updates, etc.).

  • It is expected to continuously improve, develop and maintain the secure infrastructure.

  • Requests to restrict access to customer data and track access to customer data.

  • It requires the ability to constantly monitor and monitor access to all network resources (router, switch, fw, ips, ids, etc.) and customer data. (This stage refers to logging, in short, detailed logs of the entire scope should be taken, logs should be kept for at least 1 year, logs should be protected (file integrity, log whoever accesses the log) and be able to review it daily with an automated tool).

  • Have security systems and processes constantly tested.

PCI/DSS Logging requirements:

  • Detection of all systems within the scope of PCI/DSS is a priority. It is desired to obtain as detailed a log as possible (it is not very clear, it is better to take as many as possible) of all systems in the scope that are within the scope of PCI / DSS audit.

  • Collect the logs from all systems in this scope in a central storage (SIEM product).

  • Protection of collected logs against modification and unauthorized access. Therefore, after the logs are logged in a secure system, it is necessary to log the access and changes to these logs.

  • Establishing a structure that can review the collected logs daily

  • PCI/DSS requires 1-year log keeping and requires the last 3 months' logs to be easily accessible

  • What to log is a little less defined, but it is recommended to log the following:

  • Logging of successful and unsuccessful authentications

  • Access to card information

  • Details of accesses and transactions made in audit guides

  • Details regarding session information

  • Use and changes of identification and authentication mechanisms

  • Audit logs

  • AV logs

  • Logs created by visitors (visitor name, company name, physical access authorizations)

  • Changes to time settings on important systems

  • Logs for technologies used within the organization (wireless, DNS, mail)

  • Operations on all servers and system components that perform security functions (firewalls, intrusion detection systems/intrusion prevention systems [IDS/IPS], etc.),

  • All physical access/activities to network resources and cardholder data on an uninterrupted basis

  • Logs of inserted media (usb, cd, etc.)

  • It would be useful to obtain audit logs of all data access in applications. For the web this is standard httpd logs.

  • All authorized/unauthorized access to system components, application installation, removal, user activities, etc. log. For this reason, logs of each user action should be associated with a username.

Detail of the structure of the received log;

  • There must be a timestamp

  • Sensitive protected data or username/password, card information, etc. shouldn't happen.

You can review the relevant articles in the PDF below in great detail, especially the articles 10.X, which indicate logging.

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf

Celal Erdik
Previous

Determining Hash Password Types
Next

Passive Information Gathering in Network