Practical priorities in PCI DSS logging

Anton Chuvakin, PhD, GCIA, GCIH, GCFA continues his two-part review of logging requirements imposed by the Payment Card Industry Data Security Standard (PCI DSS). Everything that follows is Dr Chuvakin’s work with minor edits. (Part 1)

In today's column, he presents some practical guidance for readers.

* * *

A PCI-consistent logging policy must include at least the following elements:

Adequate logging: covers both logged event types and details for all systems in scope for PCI DSS. As a reminder, this includes not only systems that store or process card data, but also those that are directly connected to them (no firewall in between).

Central log aggregation: making sure that logs are retained in a controlled environment and not left to rot wherever they are produced is a PCI compliance requirement.

Log retention: PCI DSS has an easy answer for your log retention policy: logs must be stored for one year with the last three months available in an easily accessible storage (not tape).

Log protection and security: PCI also mandates limiting access to logs and employing the technology to detect any possible changes of stored logs.

Daily log review procedures and tasks: this requirement is by far the most onerous to most organizations. However, it does not mean that every single log must be read by a human being. Automated tools can and must be used for automated log review.

Let's now focus on log review in depth. PCI DSS states that one must "Review logs for all system components at least daily. Log reviews must include those servers that perform security functions like intrusion-detection system (IDS) and authentication, authorization, and accounting protocol (AAA) servers (for example, RADIUS)." It then adds that "Log harvesting, parsing, and alerting tools may be used to meet compliance with Requirement 10.6."

PCI DSS testing and validation procedures for log review mandate that a Qualified Security Assessor (QSA) should "obtain and examine security policies and procedures to verify that they include procedures to review security logs at least daily and that follow-up to exceptions is required." The QSA must also "through observation and interviews, verify that regular log reviews are performed for all system components." To satisfy those requirements, an organization should create PCI System Log Review Procedures and workflows that cover:

• Log review practices, patterns and tasks

• Exception investigation and analysis

• Validation of these procedures and management reporting.

The procedures will be provided for using automated log management tools as well as manually when tools are not available or not compatible with log formats produced by the payment applications.

To conclude, PCI security guidance mandates not only the creation of logs and retention, but also their review. It is essential that your logging policy and procedures cover such daily review tasks, whether using log management tools or manually. This will allow you to get compliant, validate your compliance as well as stay compliant and secure on an ongoing basis. The major effect the age of compliance has had on log management is to turn it into a requirement rather than just a recommendation, and this change is certainly to the advantage of any enterprise subject to one of those regulations.

[MK adds: Logging plays an important role in all aspects of IT and security auditing including forensic investigations, continuous process improvement and performance monitoring. For more information on logging and security, see the Computer Security Handbook, 5th Edition (Bosworth, Kabay & Whyne, Eds.) Chapters 26 ("Gateway Security Devices"), 47 ("Operations Security and Production Controls"), 52 ("Application Controls"), and especially 53 ("Monitoring and Control Systems").]

* * *

Anton Chuvakin, PhD, GCIA, GCIH, GCFA is a recognized security expert in the field of log management and PCI DSS compliance.Chuvakin was a director of PCI Compliance Solutions at Qualys. Previously, Anton worked at LogLogic as a chief logging evangelist, tasked with educating the world about the importance of logging for security, compliance and operations. Anton earned his PhD degree from Stony Brook University. Currently, Anton is developing his security consulting practice, focusing on logging and PCI DSS compliance for security vendors and Fortune 500 organizations.

Learn more about this topic

A guide to practical PCI compliance

PCI compliance mandates power raises conflict-of-interest questions

Five shortcuts to PCI compliance

PCI DSS logging: A must for compliance 

From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies