What is PCI DSS?
PCI DSS, or Payment Card Industry Data Security Standard, is a collection of security requirements developed by major credit card companies to safeguard merchants who accept credit card payments by ensuring they provide a secure environment. The standard includes provisions for data protection, network security, and security management, among other things. Organizations that process credit card transactions are required to comply with these standards.
Who needs to be PCI DSS compliant?
Every organization that processes, stores, or transmits credit card information, regardless of its size or number of transactions, must comply with PCI DSS. This includes service providers, merchants, and financial institutions processing credit card payments.
Consequences for PCI DSS non-compliance
The fines themselves are not communicated clearly by PCI SSC (Payment Card Industry Security Standards Council). Still, there are a set of negative consequences, including monthly penalties from card brands (Visa, Mastercard, etc., ranging from $5k-100k), data breach costs in the form of forensic expenses, card replacement costs, processing rate increases, payment systems contract termination, legal fees, damaged reputation, and revenue loss.
Being PCI DSS compliant isn’t enough to guarantee 100% protection against data breaches. Even companies that meet requirements can still face attacks and experience data loss. A compliant company may still be held accountable for penalties for a violation. However, if the company has taken all necessary measures to meet PCI DSS standards, the card brands may reduce or even waive a fine imposed.
What are the PCI DSS requirements for log collection and monitoring?
Within the latest standard’s framework (version 4.0), there are 6 requirement groups with a total of 12 general requirements, which offer detailed guidance aimed at enabling organizations to establish and maintain optimal data security practices, including the collection and handling of logs:
CATEGORY | REQUIREMENT |
---|---|
Build and Maintain a Secure Network and Systems |
1. Install and Maintain Network Security Controls. 2. Apply Secure Configurations to All System Components. |
Protect Account Data |
3. Protect Stored Account Data. 4. Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks. |
Protect Account Data |
5. Protect All Systems and Networks from Malicious Software. 6. Develop and Maintain Secure Systems and Software. |
Implement Strong Access Control Measures |
7. Restrict Access to System Components and Cardholder Data by Business Need to Know. 8. Identify Users and Authenticate Access to System Components. 9. Restrict Physical Access to Cardholder Data. |
Regularly Monitor and Test Networks |
10. Log and Monitor All Access to System Components and Cardholder Data. 11. Test Security of Systems and Networks Regularly. |
Maintain an Information Security Policy |
12. Support Information Security with Organizational Policies and Programs. |
Among them, there is a specific requirement that elaborates on log collection and the handling of log data. Requirement 10 explains what logging procedures card payment entities must adhere to, and it’s split into seven sections on how sensitive data environments are expected to be logged, monitored, and managed:
-
10.1: Processes and mechanisms for logging and monitoring all access to system components and cardholder data are defined and documented.
-
10.2: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.
-
10.3: Audit logs are protected from destruction and unauthorized modifications.
-
10.4: Audit logs are reviewed to identify anomalies or suspicious activity.
-
10.5: Audit log history is retained and available for analysis.
-
10.6: Time-synchronization mechanisms support consistent time settings across all systems.
-
10.7: Failures of critical security control systems are detected, reported, and responded to promptly.
In addition to the self-explanatory points above, some of the other requirements have a substantial impact on the log management aspect as well:
-
3.5: Primary account number (PAN) is secured wherever it is stored.
-
6.5: Changes to all system components are managed securely
-
11.5.2: A change-detection mechanism (for example, file integrity monitoring tools) is deployed
How does NXLog help?
With its powerful vendor-agnostic log collection, transformation, and analysis capabilities, NXLog becomes a core component of log management strategy for your PCI DSS compliance.
- Simplify the process with unified log collection infrastructure (10.1)
-
NXLog allows an organization to enable a unified log collection mechanism across the entire PCI infrastructure, including system and operational components. It helps to achieve compliance both technically and by simplifying routines and policies that must be communicated to staff.
- Enable audit logs centralization with nothing missed (10.2)
-
NXLog supports all popular and advanced log collection methods. It seamlessly integrates with various data sources and SIEM/APM solutions to ensure that all payment card infrastructure components are integrated into a PCI-compliant log management process.
- Identify suspicious activity faster with pre-forward noise reduction and cut SIEM/APM costs (10.2, 10.4, 10.7)
-
With its best-on-market event processing engine, NXLog helps to filter out most of the noise from logs before forwarding data to security platforms (SIEM/APM). That speeds up both ingestion and ongoing security logs analysis in SIEM/APM solutions while cutting costs for the latter, usually priced by EPS (events per second).
- Ensure sensitive data doesn’t leave PCI infrastructure (3.5)
-
NXLog helps to mask or truncate sensitive data (accounts, card numbers, etc.) from logs in case it has to be ex-filtrated to other services, including those managed by third parties (like MSSP service providers).
- Enforce Audit logs & system files monitoring against unauthorized changes (10.3, 6.5, 11.5.2)
-
NXLog provides a File Integrity Monitoring (FIM) module that allows the detection of changes to the file system and triggers a security event promptly. That helps to protect both critical system files and retained logs from unauthorized tampering.
- Enable cost-efficient audit logs retention (10.5)
-
In accordance with PCI DSS 4.0, audit logs must be retained for at least 12 months, with at least the most recent three months immediately available for analysis. NXLog provides flexible retention and routing mechanisms, so it’s always possible to enable the most efficient retention scheme for your data, including ongoing logs cool-off.
- Ensure consistent time settings across all infrastructure (10.6)
-
It’s crucial to keep log event timestamps synchronized across all PCI infrastructure for ongoing threat analysis and valid security trails. NXLog allows the collection of logs from time synchronization services so you can respond promptly if any suspicious changes happen.