This story appeared on Network World at
PCI DSS logging: A must for compliance
Security Strategies Alert By M. E. Kabay, Network World
March 08, 2010 12:07 AM ET
Anton Chuvakin, PhD, GCIA, GCIH, GCFA is well-known security expert and author of the books "Security Warrior" and "PCI Compliance" and a contributor to "Know Your Enemy: Learning about Security Threats", Second Edition, Information Security Management Handbook and others. Anton has published dozens of papers on log management, correlation, data analysis, PCI DSS, security management. His blog is one of the most popular in the industry. Today Chuvakin reviews logging requirements imposed by the Payment Card Industry Data Security Standard (PCI DSS). Everything that follows is Chuvakin's work with minor edits.
* * *
The PCI DSS continues its march from the largest to the smallest merchants, affecting the way thousands of organizations approach security. PCI DSS applies to all organizations that handle credit-card transactions or that store or process payment-card data.
Among other things, it mandates logging of specific details and log-review procedures needed to detect and investigate credit-card fraud, criminal hacking and other security issues.
Even though logging is implied in all 12 PCI requirements, PCI DSS Requirement 10 is dedicated to logging and log management. Logs for all in-scope systems and components must be reviewed at least daily. Organizations must ensure the integrity of their logs by implementing file-integrity monitoring and change-detection software on logs to ensure that existing log data cannot be changed without notice. Logs from in-scope systems are to be stored for at least one year.
System administrators often ask for more details of the logging requirements; for example "What configuration settings we should change on our system?" An authoritative guide on logging for PCI DSS such as one I created for a consulting client during a recent PCI logging project should answer the following questions:
• Log which events?
• Log which details?
• Retain which logs?
• Review which logs?
• How should we review logs?
By the way, the italics for authoritative serve to remind readers that only your own Qualified Security Assessor (QSA) holds an authoritative view on the subject; the rest of us have to settle on a defensible view. Such a defensible guide must translate guidelines into a specific logging policy with actionable tasks and operational procedures while making a few assumptions about your organization. Such guidance must cover both the PCI logging requirements needed to achieve and to stay compliant with PCI and those needed to get compliance validated. Such logging will also be useful beyond PCI compliance, following the "compliance+" model that I use for many security technologies. When I was teaching my log management class at a SANS conference in December 2009, many students confirmed that it has been their experience as well.