PCI-DSS Requirement 10: Logging and Auditing
PCI-DSS Requirement 10 (“Track and monitor all access to network resources and cardholder data”) is all about using logs for vulnerability management and event forensics. These logs must record every time someone accesses regulated data (including cardholder data and log data) to enable a “who-did-what-and-when” audit trail. This requires means implementing a comprehensive system to log every time any employee or remote vendor accesses a server or application which processes protected data.
This is an ongoing requirement that calls for continuous monitoring and review (log review, the key part of Requirement 10.6, is explicitly mandated to occur on a daily basis). Furthermore, according to the Requirement, these records must be immediately available for three months and stored for later retrieval for one year.
The Challenge of PCI-DSS Requirement 10 for Custom Applications
Complying with this requirement may be very difficult for custom applications that don’t already incorporate comprehensive logging. Even if the application source code is available – and relevant developers are on hand – implementing the mandated logging into these applications may require an extremely difficult, expensive and risky undertaking.
There is an easier way.
An Elegant PCI Logging Solution for Custom Applications
Achieving PCI logging and auditing compliance for custom applications no longer requires touching a line of custom code. Instead, software known as Screen Session Recording or User Activity Monitoring can help you satisfy compliance requirements by monitoring and recording every user action performed within custom applications – just like a video camera watching all users’ screen activity from over their shoulder. Furthermore, these systems generate text-searchable logs which are linked to the screen recordings.
By simply installing agent software on every machine with direct or indirect access to custom applications, all Requirement 10 compliance needs are instantly met because every user action in every custom application is recorded (in video) and logged (in text logs).
The daily review requirement is neatly met by the User Activity Monitoring system as well: alerts and reports can be created to include any activity involving protected data, making it a simple matter to review a day’s worth of relevant access to the data. Predefined compliance reports supplied with these systems can show all relevant actions, with links to video replay for further clarification, allowing almost out-of-the-box compliance.
In conclusion, the demands of PCI-DSS Requirement 10, which have been intimidating IT teams and management teams alike, are easily met with a suitable User Activity Monitoring system – even for custom applications for which no built-in logging exists. Auditors appreciate the user friendliness of these systems which combine instant keyword search with visual recordings of every user action. Daily log reviews are fast and easy with predefined compliance reports.
If your company has one or more custom applications which store or process credit card data, it behooves you to take a close look at one of these products. Of course, we’d be happy for you to take a close look at our own solution, ObserveIT!
Subscribe to the Proofpoint Blog