-
This requirement covers the creation and protection of information that can be used for the tracking and monitoring of access to all systems in the PCI DSS scope and synchronization of all system clocks.
Requirement 10: Log and monitor all access to system components and cardholder data
- 2022 PSR
- Introduction
- Executive Summary
- The Compliance Landscape
- Commentary
- The State of Compliance
- Requirement 1 Install and Maintain Network Security Controls
- Requirement 2 Apply Secure Configurations to all System Components
- Requirement 3 Protect Stored Account Data
- Requirement 4 Protect Cardholder Data with Strong Cryptography
- Requirement 5 Protect All Systems and Networks from Malicious Software
- Requirement 6 Develop and Maintain Secure Systems and Software
- Requirement 7 Restrict Access to System Components
- Requirement 8 Identify Users and Authenticate Access
- Requirement 9 Restrict Physical Access to Cardholder Data
- Requirement 10 Log and Monitor System Components and Cardholder Data
- Requirement 11 Test Security of Systems and Networks Regularly
- Requirement 12 Support Information Security with Organizational Policies and Programs
- Bottom-20 Lists
- Methodology
- Appendices
- Download the full report (PDF)
Please provide the information below to view the online Verizon Payment Security Report.
Thank you.
You will soon receive an email with a link to confirm your access, or follow the link below.
Thank you.
You may now close this message and continue to your article.
-
Figure 24. Global state of PCI DSS compliance: Requirement 10
-
Full compliance: Maintaining full compliance on Requirement 10 increased a whopping 10.1 pp. This is a remarkable improvement possibly due in part to the significant increase in the use of compensating controls.
Control gap: The control gap improved significantly. Controls 10.7 (Retain audit trail history) and 10.2 (Examine audit log settings) appear in the Bottom-20 lists of controls with the lowest performance, and need more attention.
Compensating controls: The use of compensating controls more than doubled for this requirement, from a low 1.9% to 4.6%, returning to about the same percentage it was at in 2015.
-
Figure 25. Requirement 10 control performance
-
-
A tip on sustainable control effectiveness
Even in small environments, it’s not likely to be practical to monitor logs individually. It’s essential to implement and maintain a centralized, automated system with robust log management and monitoring capabilities, linking user access to all system components across the CDE. An integrated, unified security monitoring and compliance management solution that collects, normalizes, analyzes and presents log data—and monitors and correlates the log data against the latest threat intelligence—can significantly increase the effectiveness and reduce the workload associated with Requirement 10.
-
Requirement 10: Log and monitor all access to system components and cardholder data
The goal
The goal of PCI DSS Key Requirement 10 is to develop and maintain a sustainable capability to effectively record and track user activities for preventing, detecting or minimizing the impact of a data compromise through reliable logging and monitoring of all access to system components and CHD. This ensures that all required logs are collected for all system components across the CDE, and that they are correlated and reviewed daily, with the ability to effectively detect and respond to incidents in a timely manner.
This goal includes complete integration with all related PCI DSS Key Requirements for the establishment of an effective, integrated series of control systems, and the development and ongoing improvement of all related capabilities, processes, documentation, tools and training needed to achieve < Quantitatively managed/Optimized > maturity of this key requirement by < insert date >.Goal applicability and scope considerations
- IT components: A centralized, automated logging and monitoring system that collects and correlates logs from all related CDE system components, which includes all system components that store, process or transmit CHD and/or SAD; all critical system components, including those that perform security functions such as file-integrity monitoring or change-detection software, IDS/IPS, routers, firewalls, anti-malware, database logging systems, wireless access point logging systems, email/web server/ e-commerce application logging, physical access logs, etc.
- People: All internal staff and third parties involved in the implementation, management, monitoring and support of system components (such as those listed above) required to meet the goal of this key requirement
- Standard of performance: A complete, integrated security monitoring strategy, policy and procedure document with defined scope, roles and responsibilities for the production, protection and retention of audit trails, and expected standard of performance of people and systems supporting the achievement of this goal
Goal requirements:
Some of the primary conditions necessary to achieve the goal
- Technology: Use the selection and implementation of a centralized, automated logging and monitoring solution that meets all the logging and monitoring requirements under PCI DSS Key Requirement 10. For example, for all audit trails to reliably and accurately link all access to system components across the CDE to individual users that access any components that store, process or transmit CHD, and all actions taken by any individual with root or administrative privileges to any CDE system component
- Competency: Correctly configure the features of the logging and monitoring system, ensuring that all system components are logging and reporting relevant information
- Capacity and capability: Ensure the ability of security teams to effectively review logs every day to detect, respond and minimize the amount of time and exposure of a potential breach of any component in the CDE
- Capability—processes: Maintain effective detection and alerting processes to detect failure of any critical security controls, responding to generated alerts, determining the root cause of the failure and documenting remediation required for the failure of critical security controls within the CDE
- Documentation and processes: Maintain effective standard operating procedures, with clearly articulated performance standards. Regularly train and educate staff on how to follow the documented procedures
Strong dependencies and integration with other key requirements
- Requirement 11: Strongly integrated with incident response procedures
- Requirement 1: Integration with network security controls to monitor perimeter access
- Requirement 7: Integration with access controls
- Requirement 8: Integration with authentication systems
Short-term objectives
- Scope: Produce and verify the accuracy and completeness of the component scope, that there are no oversights with any system component accidentally excluded from the logging and monitoring program
- Capability: Implement technology that effectively synchronizes all system clocks in all systems across the CDE
Long-term objectives
- Improve: Enhance configuration to increase the detection of, and improve time spent on, false-positive alerts. Refine configurations and improve support processes, documentation and training
- Maturity: Achieve and maintain high-capability maturity on logging and monitoring across the CDE by improving the efficiency of manual log reviews, enhancing automation
Common constraints
- Capacity: Not having sufficient capacity of personnel to manage the workload associated with Requirement 10
- Cost: Lack of budget for procurement of tools and staffing
- Competency: Lack of proficient staff qualified with log analysis and required level of performance