Complying with PCI, merchants and service providers not only meet their obligations to the payment system but create a culture of security that benefits everyone, including the top executives. The security requirements of PCI extend to all system components that are connected to the cardholder data environment:
- Network components: firewalls, switches, routers, intrusion prevention and detection systems, proxies and content filters, wireless access points as well as other network and security appliances.
- Servers: web, database, authentication, domain name service (DNS), mail, network time protocol (NTP), directory and others.
- Applications: all purchased and custom apps, internally and externally facing web applications, Intranet applications, etc.
PCI requirements revolve around the following goals:
- Build and maintain a secure network
- Protect cardholder data in transit and at rest
- Maintain a vulnerability management program
- Implement strong access control measures and audit them on a regular basis
- Continuously monitor networks and systems
- Maintain an information security policy
- Maintain audit trails of all of the above activities.
The PCI specification highlights the necessity of log data collection and management for meeting the key requirements. For example, Requirement 10 specifies that companies should “track and monitor all access to network resources and cardholder data.” The requirement specifies that companies “implement automated audit trails to reconstruct events for all system components.” These events include user access, actions taken, invalid logical access attempts, use of identification and authentication mechanisms, initialization of audit logs and creation or deletion of system-level objects. It also recommends recording audit trail entries for each event, including user ID, type of event, date and time, success or failure, origination of event, and the identity of the affected data or component.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.