We’ve been on the “Road Map to PCI” journey together for 10 months now! This month, it’s time to get technical. We are going to look at the PCI Council’s fifth area of focus and press into the requirement: “Track and monitor all access to network resources and cardholder data.”
Many smaller organizations may not need to complete this aspect of PCI, due to the fact in the current version these requirements are only found within Self-Assessment Questionnaire D*. SAQ D is reserved for Service Providers (those providing a service that impacts a card payment transaction via processing, storing, or transmitting card data) or for merchants who don’t fit into any other SAQ but still collect card data. For example a merchant with a payment page that processes, stores, or transmits card data; or that stores card data locally in other ways. Because the requirements of SAQ D can be prohibitive most small organizations choose not to process, store, or transmit card data themselves, but rather outsource these types of payment processing components.
*It is important to note, version 3.0 of PCI goes into effect January of 2015 and Requirement 10 will be a part of SAQ A-EP, SAQ C, and SAQ D.
If your Qualified Security Assessor has confirmed that you are not required to complete SAQ D, congratulations! At this point you can keep reading because Data Security is a captivating subject matter and you want to be an overachiever… or you could breathe a sigh of relief and get back to other important items on your to-do list, like watching cat videos. All kidding aside, stay with me if your organization needs to complete an SAQ D, or plan to complete Requirement 10 after PCI version 3.0 goes into effect. Next, we will take a brief look at the key points, Requirement 10 addresses.
Requirement 10 is all about tracking. Whether it is data transmission/movement or system access, it is extremely important to keep logs of who, what, when, and why a system was accessed. This also includes tracking the movement of data in and out of your systems.
For example, tracking who has access to systems that transmit and/or store card data as well as systems that manage your systems’ audit trails/logs need to be monitored and logged as well. For obvious reasons, if a system is compromised or if an employee was to “go-rogue” they could access the card data system and attempt to cover their tracks by altering any number of logs. Environments with multiple systems will use a time server to synchronize all servers’ clocks to ensure consistent times across all systems; this is a critical component in order to have an effective logging and review process. Keep a history of all your critical systems’ logs for at least one-year, this is a great best practice to make sure you always have access to these vital reports should you ever need them.
Change is Important
With audit trails and logging in effect next is the task of reviewing these reports to ensure that nothing out of the ordinary is taking place. Review the changes captured on your daily and periodic logs and note any new users that may have been created or when access rights and permissions for a user change.
Utilizing a File Integrity Monitoring System (FIM) is a great way to keep track of these types of changes. These types of internal control systems should always be running to ensure all changes to a system impacting the transmission or storage of card data, as well as your audit trails and logs, are accurately tracked. Many times criminals will create a malicious file using the name of a legitimate file in your system so as to go unnoticed; this malicious file if successfully uploaded and undetected could allow them to compromise your system.
One final note on tracking changes: personally configure any automatic notifications made available by your FIM. When configuring your notifications be sure they will notify you automatically of anything outside of the parameters you define. Setting proper parameters can be difficult and a good rule of thumb is to be conservative and make adjustments over time. If you are not conservative enough you run the risk of missing something important that you intended to be notified about. When you review your notifications remember that a manual review of your logs is still a requirement.
Document Your Process
A large portion of the PCI security standards are focused on documentation. Documenting in detail your policies and procedures for how you monitor your audit trails and logs is critical. An annual review of these policies will help ensure that everyone on your team is on the same page and that your policy stays current and relevant to your needs. Even if staffing changes occur, your detailed documentation will enable your organization to maintain strong continuity as it relates to your security policies.
The recent breaches experienced by several major companies over the last year have shown the importance of tracking and logging. In many cases it was months before these breaches were detected. Implementing a methodical and consistent approach to audit trails and logs is critical and will ensure that detection of a system breach happens much sooner or prevents it from ever happening. It’s no surprise that this component is a critical piece for PCI Compliance.
Next month we will look at Requirement 11, “Regularly test security systems and processes” and see why testing your network is important organizations that process transactions over the internet and how you can effectively test your network for vulnerabilities.
If you have any questions about PCI that you would like to see covered, let us know! You can email us at firstname.lastname@example.org to share your thoughts or questions which we may then address here on our blog!