Rules are rules: Any business or organization that handles credit and debit card payments must meet the Payment Card Industry Data Security Standards (PCI DSS). The hard truth is, it's easy to for businesses to become overwhelmed with all of the PCI DSS requirements, especially if they don’t have a security expert on staff or a trusted Managed Service Provider (MSP) to supplement security knowledge. Business owners often contemplate whether they need to comply with all of the requirements, or if all even apply to them specifically.
PCI DSS has twelve requirements built to ensure secure storage, processing and transmission of credit card information. But what does this really mean, and aren’t they all created equal?
The short answer is yes and no. While meeting all requirements is mandatory, some requirements are more difficult to achieve than others. Requirement 10 in the standard requires that all businesses must monitor any access to network resources and card holder data.
Why Is This So Difficult?
If you're an MSP, it's likely that your clients will need help complying with PCI DSS Requirement 10. The following reasons illustrate why it's easier said than done.
- Most software easily tracks and logs activity; however, most businesses struggle with actually maintaining and analyzing their logs.
- Prior to the introduction of software like Security Information and Event Management (SIEM), gathering too few logs was an issue.
- Not keeping and tracking enough logs makes it difficult to properly comply with PCI DSS.
- Now, with more advanced software, MSPs are drowning in too many logs, making it close to impossible for them to provide the proper information in the event of a breach.
How You Can Help
Below are just a few of the section 10 requirements that businesses tend to have a difficult time achieving, and recommendations on how Continuum Fortify for Network Security can help complete these requirements.
10.1 (a): Are audit trails enabled and active for system components?
Audit trails are like a hall monitor on your system. It is imperative that your IT and security team has a record of all users and changes on the network. Fortify for Network Security has the integrated ability to collect these records. This is also a life saver when your company has to complete not only PCI SAQ, but other audits such as ISO 27001 and SSAE SOC 1 and SOC 2.
10.5.5: Is FIM (File Integrity Monitoring) or change-detection software used on logs to ensure that existing log data cannot be changed without generating alerts (new data being added should not cause an alert)?
FIM is often an overlooked requirement with PCI. Having an automated change detection software in place like Fortify to alert on any log data is a general security best practice. It should also give you a “heads up” on any malicious activity.
10.6: Review logs and security events for all system events for all system components to identify anomalies or suspicious activity.
This requirement can look like a daunting task, but we can help by supplying a one stop repository from which to review log data from across a client's entire IT infrastructure.
10.7 (a): Are audit log retention policies and procedures in place and do they require that logs are retained for at least one year, with a minimum of three months immediately available for analysis (for example: online, archived, or restorable from backup)?
A year may seem like a long time, but this is a standard and it is recommended to retain backups for 3-5 years. Keeping this data may seem like overkill, but it can provide proper details needed in the event of a breach. Why? The average breach isn’t discovered for over 8 months and having the ability to backtrack the history plays an important role in the forensic stage. Fortify for Network Security creates archive files of all collected log entries, organized in a daily log structure for quick reference.
Bringing it All Together
Meeting PCI DSS compliance demands for logging isn’t technically complicated if you are equipped with the right tools, but being able to analyze, organize and make sense of the data is a common struggle. Continuum Fortify allows you to provide your customers with true advanced threat protection with SIEM, which creates PCI compliance readiness.
For more information about how we can help with PCI compliance requirement 10, and other requirements, refer to the PCI solution brief.
Handpicked for you:
By Lily Teplow
By Paula Rhea
By Gretchen Hoffman