Log Management in PCI Compliance
by Dr. Anton Chuvakin - GCIA, GCIH, GCFA at LogLogic - Monday, 3 September 2007.
Addressing PCI not only protects businesses and merchants from cardholder fraud, but also satisfies a broader mandate for information protection and security. Several retailed stated that complying with PCI makes them automatically compliance with SOX, due to more stringent and more specific requirements described in the PCI standard. Additional benefits include improved operational efficiencies through broad compliance (even likely with future regulations!), reduced IT administration and maintenance costs, reduced IT labor costs and greater IT productivity. At the same time, some see complying with PCI as another compliance burden for companies, especially if IT resources are limited and focused on a day-to-day grind of “firefighting.” To cost-effectively and efficiently comply with PCI, companies should look at log management and intelligence (LMI) solutions to simplify the process of collecting, storing and managing log data to both satisfy the reporting and monitoring requirements, audit log collection requirements as well as enable better incident response and forensics.

PCI Compliance Combats Fraud and Improves Security

In most cases, when a customer clicks the “buy” button on a web site, a number of things happen on the backend. An application server connects to a database, multiple records are updated and sometimes a connection to a separate payment application is initiated. All those activities generate log files in various places: on the servers, applications, databases as well as on network and security infrastructure components. At the same time, the attackers know that there might be vulnerabilities in these processes and technologies that leave data unprotected. Internal threats such as insider misuse are of even greater concern in this case, since there are no perimeter defenses stopping such attackers.

According to recent FBI survey, financial fraud is the second-largest category of hacking events on the Internet today. Similarly, Gartner estimates that 20-30% of Global 1000 companies suffer losses due to mismanagement of private and confidential information. The costs to recover from these mistakes could reach up to $5-20 million per company, as it happened in a few recent cases affecting both commercial and government entities. Additionally, it is well known. brand damage results from waning consumer trust.

PCI Requirements Center on Security and Authorized Access

Complying with PCI, merchants and service providers not only meet their obligations to the payment system but create a culture of security that benefits everyone, including the top executives. The security requirements of PCI extend to all system components that are connected to the cardholder data environment:
  • Network components: firewalls, switches, routers, intrusion prevention and detection systems, proxies and content filters, wireless access points as well as other network and security appliances.
  • Servers: web, database, authentication, domain name service (DNS), mail, network time protocol (NTP), directory and others.
  • Applications: all purchased and custom apps, internally and externally facing web applications, Intranet applications, etc.
What is even more important is that companies must be able to verify and demonstrate their compliance status and to do so rapidly, whenever an audit takes place. Such proof of compliance is a fundamental and critical function that identifies and corrects potential pitfalls in the network, and ensures that appropriate levels of cardholder information security are maintained.

PCI requirements revolve around the following goals:
  • Build and maintain a secure network
  • Protect cardholder data in transit and at rest
  • Maintain a vulnerability management program
  • Implement strong access control measures and audit them on a regular basis
  • Continuously monitor networks and systems
  • Maintain an information security policy
  • Maintain audit trails of all of the above activities.
Log data plays a central role in meeting several of these goals. Specifically, without log data, companies cannot verify and audit access controls, other security safeguards and policies or even monitor their networks and systems as well as conduct incident response activities.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th