Site icon

Timeline for PCI DSS 4.0: The Tenth Requirement and System Monitoring

PCI DSS 4.0 featured

As we move through the requirements for PCI DSS 4.0, we’re coming up to the double digits, which means some more advanced expectations. Namely, the tenth requirement focuses on system logging and monitoring for systems containing cardholder data. 

The maintenance of audit logs is about more than automatically recording data about system events. Your system must secure, protect, and ensure the integrity of that information to serve a role in incident prevention and investigation.

 

What Are System Logging and Monitoring in PCI DSS 4.0?

System logging and monitoring are critical parts of security, providing security experts and professionals with the necessary information to analyze and address security issues. Because system forensics is such an essential part of cybersecurity, there are subsequent rules and best practices for logging and monitoring.

Both monitoring and logging tend to come at the problem of forensics and information from two different directions. 

 

System Monitoring

System monitoring is generally preventative in that monitoring allows administrators to notice inconsistencies or anomalies in a system as or shortly after they occur. Automated tools and software can monitor active systems to determine anomalous activity. 

However, since these systems are composed of several different components, each with their operations, data flows, and interfaces, such monitoring solutions will typically focus on (or integrate with) specific types of system observation. 

These can include:

 

System Logging

System logging, rather than actively scanning a system or noticing different behavior patterns, provides forensic information about those patterns, behaviors, or activities. Logs are records of system events that store critical data about that event that can be used to create a picture of the event’s context and its relationship with other events within the system.

Logs are a critical, necessary part of cybersecurity, and as such, they also include several requirements for how organizations manage and protect them. These can include:

 

What Is the Tenth Requirement of PCI DSS 4.0?

The tenth requirement of PCI DSS 4.0 focuses on both logging and monitoring as information-gathering mechanisms for organizations handling cardholder data. These mechanisms must provide ways to support the tracking of security issues and user activity both externally and internally. Likewise, this requirement guides how these businesses can keep an entire audit trail to use as a forensic and legal tool to identify, trace, and remedy security issues.

 

10.1 – Process and Mechanisms for Logging and Monitoring 

 

10.2 – Audit Logs Are Implemented to Support the Detection of Anomalies

 

10.3 – Audit Logs Are Protected from Destruction and Unauthorized Modifications

 

10.4 – Audit Logs Are Reviewed to Identify Anomalies or Suspicious Activity

 

10.5 – Audit Log History Is Retained and Available for Analysis

 

10.6 – Time-Synchronization Mechanisms Support Consistent Time Settings

 

10.7 – Failures of Critical Security Control Systems are Detected, Reported, and Responded to Promptly

 

Prepare for PCI DSS 4.0 with Lazarus Alliance

As we dig into the requirements of PCI DSS, you will see the increasing complexity and interoperability of the different technologies, policies, and practices you’ll need to deploy to receive PCI verification and maintain compliance. These practices aren’t just to complete a checklist. However–they are tried-and-true security practices that will help support your security efforts ten years from now. 

 

Are You Thinking Ahead for PCI DSS 4.0?

Call Lazarus Alliance at 1-888-896-7580 or fill in this form.

[wpforms id=”137574″]

Exit mobile version