Meeting PCI DSS compliance with NXLog Enterprise Edition
What is PCI DSS?
PCI DSS, or Payment Card Industry Data Security Standard, is a collection of security requirements developed by major credit card companies to safeguard merchants who accept credit card payments by ensuring they provide a secure environment. The standard includes provisions for data protection, network security, and security management, among other things. Organizations that process credit card transactions are required to comply with these standards.
Who needs to be PCI DSS compliant?
Every organization that processes, stores, or transmits credit card information, regardless of its size or number of transactions, must comply with PCI DSS. This includes service providers, merchants, and financial institutions processing credit card payments.
Consequences for PCI DSS non-compliance
The fines themselves are not communicated clearly by PCI SSC (Payment Card Industry Security Standards Council). Still, there are a set of negative consequences, including monthly penalties from card brands (Visa, Mastercard, etc., ranging from $5k-100k), data breach costs in the form of forensic expenses, card replacement costs, processing rates increase, payment systems contract termination, legal fees, damaged reputation, and revenue loss.
Being PCI DSS compliant isn't enough to guarantee 100% protection against data breaches. Even companies that meet requirements can still face attacks and experience data loss. A compliant company may still be held accountable for penalties for a violation. However, if the company has taken all necessary measures to meet PCI DSS standards, the card brands may reduce or even waive a fine imposed.
What are the PCI DSS requirements for log collection and monitoring?
Within the latest standard’s framework version 4.0, there are 6 groups with a total of 12 general requirements, which offer detailed guidance aimed at enabling organizations to establish and maintain optimal data security practices, including the collection and handling of logs:
Build and Maintain a Secure Network and Systems
1. Install and Maintain Network Security Controls.
2. Apply Secure Configurations to All System Components.
Protect Account Data
3. Protect Stored Account Data.
4. Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks.
Maintain a Vulnerability Management Program
5. Protect All Systems and Networks from Malicious Software.
6. Develop and Maintain Secure Systems and Software.
Implement Strong Access Control Measures
7. Restrict Access to System Components and Cardholder Data by Business Need to Know.
8. Identify Users and Authenticate Access to System Components.
9. Restrict Physical Access to Cardholder Data.
Regularly Monitor and Test Networks
10. Log and Monitor All Access to System Components and Cardholder Data.
11. Test Security of Systems and Networks Regularly.
Maintain an Information Security Policy
12. Support Information Security with Organizational Policies and Programs.
Among them, there is a specific requirement that elaborates on log collection and the handling of log data. Requirement 10 explains what logging procedures card payment entities must adhere to, and it’s split into seven sections on how sensitive data environments are expected to be logged, monitored, and managed:
- 10.1. Processes and mechanisms for logging and monitoring all access to system components and cardholder data are defined and documented.
- 10.2 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.
- 10.3 Audit logs are protected from destruction and unauthorized modifications.
- 10.4 Audit logs are reviewed to identify anomalies or suspicious activity.
- 10.5 Audit log history is retained and available for analysis.
- 10.6 Time-synchronization mechanisms support consistent time settings across all systems.
- 10.7 Failures of critical security control systems are detected, reported, and responded to promptly.
In addition to the self-explanatory points above, some of the other requirements have a substantial impact on the log management aspect as well:
- 3.5 Primary account number (PAN) is secured wherever it is stored.
- 6.5 Changes to all system components are managed securely
- 11.5.2 A change-detection mechanism (for example, file integrity monitoring tools) is deployed
How does NXLog Enterprise Edition help?
As a powerful vendor-agnostic log collection & transformation tool, NXLog Enterprise Edition is a core component of a modern PCI DSS compliance strategy and log analysis backend, like SIEM/APM systems.
Simplify The Process with Unified Log Collection Infrastructure (10.1)
NXLog Enterprise Edition allows an organization to define a unified log collection mechanism across all the infrastructure, including system, operational, and critical components. Unified log collection helps design comprehensive technical solutions and simplify routines and policies that must be communicated to staff according to the roles.
Enable Audit Logs Centralization with Nothing Missed (10.2)
NXLog Enterprise Edition supports all the popular and advanced log collection methods. It seamlessly integrates with various data sources and SIEM/APM to ensure that all payment card infrastructure components are integrated into a PCI-compliant log management process.
Identify suspicious activity faster with pre-forward noise reduction and cut SIEM/APM costs (10.2, 10.4, 10.7)
With its best-on-market event processing engine NXLog Enterprise Edition, security engineers can filter out most of the noise from logs right before forwarding data to SIEM/APM. That helps to speed up both ingestion and ongoing logs analysis in SIEM/APM solution while cutting costs for the latter, usually priced by EPS (events per second) and storage.
Ensure sensitive data not to leave PCI infrastructure (3.5)
NXLog Enterprise Edition can mask or truncate sensitive data (accounts, card numbers, etc.) from logs in case it has to be ex-filtrated to other services, including those managed by third parties (like MSSP service providers).
Enforce Audit Logs & System Files Monitoring Against Unauthorized Changes (10.3, 6.5, 11.5.2)
NXLog Enterprise Edition provides a File Integrity Monitoring (FIM) module that allows the detection of changes to the file system and triggers a security event promptly. That helps to protect both critical system files and retained logs from unauthorized tampering.
Enable Cost-Efficient Audit Logs Retention (10.5)
In accordance with PCI DSS 4.0, audit logs must be retained for at least 12 months, with at least the most recent three months immediately available for analysis. NXLog Enterprise Edition provides flexible retention and routing mechanisms, so it’s always possible to support the most efficient retention process, including ongoing logs cool-off.
Ensure consistent time settings across all infrastructure (10.6)
NXLog Enterprise Edition allows the collection of logs from time synchronization services and respond promptly if any suspicious changes happen. Keeping log events timestamps synchronized across all PCI infrastructure for ongoing threat analysis and the valid chain of custody is crucial.