Log Management in PCI Compliance
by Dr. Anton Chuvakin - GCIA, GCIH, GCFA at LogLogic - Monday, 3 September 2007.
Security professionals have come to realize that ensuring data security and integrity is critical to business continuity and risk mitigation. However, with increasing amounts of data flooding our ever more complex networks, the risk of stolen or lost - with you unable to prove that it was not stolen - information continues to rise. Online merchant networks are particularly at risk from both classic computer attacks and more insidious fraud. At the same time, the more customer data is collected, the more dangerous the situation becomes. In response to this trend and to prodding from major credit card companies, new security measures are being implemented by merchants and other businesses to protect the data their customers trust them with (or don’t even know they have).

Today, all credit card merchants, service providers and retailers who process, store and transmit cardholder data have a responsibility to protect that data and must comply with a diverse range of regulations and industry mandates as well as a growing list of voluntary “best practices” frameworks. These include the venerous Sarbanes-Oxley bill (better known as SOX or SarbOx), the Payment Card Industry (PCI) data security standard, the Gramm-Leach-Bliley Act of 1999 and even HIPAA (healthcare providers take credit cards too!). Not complying with the above might result in fines, legal exposure, or both, although it is widely known that the regulation differ wildly in regards to their “teeth.” For instance, it was reported that nobody was ever fined for being out of compliance with HIPAA.

But this is easier said than done. Immense volumes of log data are being generated on such payment networks, necessitating more efficient ways of managing, storing and searching through log data, both reactively – after a suspected incident – and proactively – in search of potential risks. For example, a typical retailer generates hundreds of thousands of log messages per day amounting to many terabytes per year. An online merchant can generate upwards of 500,000 log messages every day. One of America’s largest retailers has more than 60 terabytes of log data on their systems at any given time. At the same time, unlike other companies, the retailed often have no option of not caring for logging.

The importance of effective and efficient log data management in payment networks cannot be under emphasized. In fact, the result of data mismanagement can be devastating. Retail Ventures Inc., for example, lost personal customer information from 108 stores in its DSW Shoe Warehouse subsidiary, an incident that involved 1.4 million credit cards used to make purchases. The lost data consisted of account numbers, names, and transaction amounts. Similarly, CardSystems was sued in a series of class action cases alleging it failed to adequately protect the personal information of 40 million consumers. At an individual cost of $30 per consumer the costs of repairing the damage could be as high as $1.2 billion. What is interesting is that in a latter case, only a smaller number of cards was “confirmed stolen”, while the rest were not “confirmed safe,” since there were no logs to prove that they were not.


Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th