Log Management in PCI Compliance
by Dr. Anton Chuvakin - GCIA, GCIH, GCFA at LogLogic - Monday, 3 September 2007.
The PCI specification highlights the necessity of log data collection and management for meeting the key requirements. For example, Requirement 10 specifies that companies should “track and monitor all access to network resources and cardholder data.” The requirement specifies that companies “implement automated audit trails to reconstruct events for all system components.” These events include user access, actions taken, invalid logical access attempts, use of identification and authentication mechanisms, initialization of audit logs and creation or deletion of system-level objects. It also recommends recording audit trail entries for each event, including user ID, type of event, date and time, success or failure, origination of event, and the identity of the affected data or component.

The PCI standard goes on to say that companies should “review logs for all system components at least daily,” and the review should include servers that handle intrusion detection, authentication, authorization and accounting. The interesting thing is that, in the mind of many retailers, “review logs daily” does not mean that a person would be poring through the logs every single day. An automated system can do this just as well, and in fact better. In case of such “automated review,” alerts would be generated in case traces of malicious, suspicious or fraudulent activity are seen in logs. At the same time, a human analyst might review reports and alerts that highlight such activity as needed.

In addition, PCI specifies that “an audit trail should be retained for a period consistent with its effective use, as well as legal regulations,” and that the “audit history usually covers a period of a t least one year, with a minimum of 3 months available online.” Thus there are also log data retention (and the corresponding log data destruction requirements!) requirements.

One should not that log data is implicitly present in many other PCI requirements, not only the directly relevant Requirement 10. For instance, just about every claim that is made to satisfy the requirements, such as data encryption or anti-virus updates, requires log files to actually substantiate it. So, even the requirement to “use and regularly update anti-virus software” will likely generate requires for log data during the audit, since the information is present in anti-virus audit logs. It is also well-known that failed anti-virus updates, also reflected in logs, expose the company the malware risks, since anti-virus without the latest signature updates only creates a false sense of security and undermine the compliance effort.

Similarly, the requirement to “establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations” is unthinkable to satisfy without effective collection and timely review of log data.

Thus, logs value to PCI program goes much beyond Requirement 10. Only through careful log data collection and management can companies meet the broad requirements of PCI. Such detailed log data management requires embedded intelligence in the log management solution to make the data secure, accessible and easy to organize and to automate many of the required tasks, such as monitoring, analysis and retention.

LMI for PCI Compliance

A comprehensive LMI solution that can collect, aggregate and centrally store all data from these network entities is essential to meet the goals of the PCI standard. LMI enables satisfying the audit, monitoring, data protection, log data collection and retention, identity access and change management cited in PCI requirement documents.

Let’s look at some of the above requirements in more detail.


101,000 US taxpayers affected by automated attack on IRS app

The IRS has revealed more details about an attack it suffered last month, mounted by unknown individuals with the aim to file fraudulent tax returns and funnel the returned money to their own bank accounts.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Wed, Feb 10th