Logs play a pivotal role in PCI DSS and are crucial to discovering possible threats, vulnerabilities, breaches, and the mitigation and remediation of breaches. The fuss is also about satisfying the requirements of every sub-section of this control plus the review and parsing of logs, reports following each log activity and maintenance of all these logs and reports for 365 days.
This can be overwhelming for a retailer who needs to go through an audit every year. Unfortunately, Level 1 and Level 2 merchants do not have a choice. PCI DSS mandates this piece as it is one of the most important PCI DSS controls needed for PCI Compliance and securing the data of a customer. In addition, collection of these logs and reports and the evidence that it has been ongoing for a year is critical.
The log list includes,
- Logs of all accesses to card data environment (CDE), pass or invalid attempts
- Logs of actions following the login
- Logs of every patch session and critical update
- Logs of anti-virus and anti-malware updates
- Logs of all events and activities
- Logs of remote control session
- Logs of firewall activity
- Logs of file-integrity monitoring
- Logs of every event that takes place in the CDE
Sequence of actions
Lay the ground work for a clean way of linking access and activity of the various system components in the CDE to be able to monitor, track, record and provide reports on every move of a user or an administrator. It is impossible to manually do this however small or large an IT staff maybe. Automating this long list of every day activity is the most logical way of tracking and recording events. Automation will ensure availability of clear evidence in case of a hack or data compromise on security, and help reconstruct the event to determine the origin of a breach.
Tracking and collection of logs do not mean anything if the information gathered is not complete. They have to show the username with the time stamp of when the person logged, whether it was a successful log attempt or failed log attempt, and the sequential course of actions following that.
An administrator or a user who has been given the privilege of accessing and/or parsing the logs should be monitored and their activity tracked as well, so the logs are never altered. Reports help in validating that. A Qualified Security Assessor (QSA) requires all pieces of the logging and monitoring requirement for verification and validation.
Achieving PCI Compliance
Omega ATC makes PCI compliance uncomplicated through the managed, hosted service, OmegaSecureTM. Automated, centralized monitoring, logging and patching of all systems from one central console to attain compliance are highlights of Omega’s services. Partnering with Omega ATC has dramatically lowered the possibilities of a breach at several of our customers’ retail locations. Clients & Case Studies.
Here’s a peek at how OmegaSecure addresses requirement 10 for ‘tracking and monitoring access to cardholder data’.
1. Firewall/router logs are retained for a year
OmegaSecure will capture the logs from the firewall every day and consolidate it at the data center. The logs are also parsed for any threats and customer personnel are alerted in the event of unusual activity.
2. Remote control sessions are logged and retained for a year
These logs are captured from every store for every remote control access event. Detailed logs of who logged on, the time they logged on and off, and reason for accessing the system. This requirement also applies to 3rd parties who access store systems.
3. Patch history logs are consolidated and retained for a year
The patch logs are brought to the OmegaSecure data center, consolidated, and retained centrally. In addition, alerts are generated if patches are missing or failed to apply. These alerts are reviewed by Security Strategists. Customer personnel are also notified in the event of patch failures.
4. System, security, event, and application logs are consolidated and retained for 365 days
These logs are generated automatically by POS and back-office machines and retained. Reports are generated to show the health of the system and alerts are tracked for satisfactory resolution.
5. Anti-Virus (AV) logs are retained for a year, consolidated and monitored
Regardless of the Anti-Virus product used, the logs for all signature file updates, actual virus scan results, and quarantine data are managed centrally for all systems. Proof of alerts and handling of those alerts are retained. The most important aspect is how OmegaSecure updates the signature files, runs the scans, creates logs, consolidates them centrally, alerts the monitoring personnel and finally creates the reports for all machines.
This is a short, comprehensive list related to Omega’s tracking and logging features. If you’d like to get in touch with us, learn more about Omega ATC and services, use our quick contact form. Just fill it out, and we’ll get back to you right away.