PCI DSS logging: A must for compliance

Anton Chuvakin, PhD, GCIA, GCIH, GCFA is well-known security expert and author of the books "Security Warrior" and "PCI Compliance" and a contributor to "Know Your Enemy: Learning about Security Threats", Second Edition, Information Security Management Handbook and others. Anton has published dozens of papers on log management, correlation, data analysis, PCI DSS, security management. His blog is one of the most popular in the industry. Today Chuvakin reviews logging requirements imposed by the Payment Card Industry Data Security Standard (PCI DSS). Everything that follows is Chuvakin's work with minor edits.

* * *

The PCI DSS continues its march from the largest to the smallest merchants, affecting the way thousands of organizations approach security. PCI DSS applies to all organizations that handle credit-card transactions or that store or process payment-card data.

Among other things, it mandates logging of specific details and log-review procedures needed to detect and investigate credit-card fraud, criminal hacking and other security issues.

Even though logging is implied in all 12 PCI requirements, PCI DSS Requirement 10 is dedicated to logging and log management. Logs for all in-scope systems and components must be reviewed at least daily. Organizations must ensure the integrity of their logs by implementing file-integrity monitoring and change-detection software on logs to ensure that existing log data cannot be changed without notice. Logs from in-scope systems are to be stored for at least one year.

System administrators often ask for more details of the logging requirements; for example "What configuration settings we should change on our system?" An authoritative guide on logging for PCI DSS such as one I created for a consulting client during a recent PCI logging project should answer the following questions:

• Log which events?

• Log which details?

• Retain which logs?

• Review which logs?

• How should we review logs?

By the way, the italics for authoritative serve to remind readers that only your own Qualified Security Assessor (QSA) holds an authoritative view on the subject; the rest of us have to settle on a defensible view. Such a defensible guide must translate guidelines into a specific logging policy with actionable tasks and operational procedures while making a few assumptions about your organization. Such guidance must cover both the PCI logging requirements needed to achieve and to stay compliant with PCI and those needed to get compliance validated. Such logging will also be useful beyond PCI compliance, following the "compliance+" model that I use for many security technologies. When I was teaching my log management class at a SANS conference in December 2009, many students confirmed that it has been their experience as well.

* * *

Anton Chuvakin, PhD, GCIA, GCIH, GCFA is a recognized security expert in the field of log management and PCI DSS compliance.Chuvakin was a director of PCI Compliance Solutions at Qualys. Previously, Anton worked at LogLogic as a chief logging evangelist, tasked with educating the world about the importance of logging for security, compliance and operations. Anton earned his PhD degree from Stony Brook University. Currently, Anton is developing his security consulting practice, focusing on logging and PCI DSS compliance for security vendors and Fortune 500 organizations.

Learn more about this topic

A guide to practical PCI compliance

PCI compliance mandates power raises conflict-of-interest questions

Five shortcuts to PCI compliance

Insider Shootout: Best security tools for small business
Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies