Payment Card Industry (PCI) Data Security Standards (DSS) compliance is often not a black and white assessment. Sure the PCI council gives you the complete assessment document, which fully explains each of the twelve (12) requirements and what is needed for validating each of these respective areas. However, it’s one thing to read them, its a another to truly understand what they mean.
Take PCI Requirement 10: Regularly Monitor and Test Networks. The question often asked to me as a Qualified Security Assessor (QSA) is: What do you want to see logging and audit trails for, that is what systems….and if we’re not logging and producing audit trails, then EXACTLY what system components do we need to start doing this for”? And in all honesty, this is a great question. It’s the who, what, when, where and why for requirement 10.
My initial answer is the following: You need to truly “identify” all system components in the cardholder environment, thus you need to be able to configure and establish logging and audit trail mechanisms for these “system components”. Remember, “system components” are just that, any “system (hardware, software, etc” used in the cardholder environment. So, at a minimum logging and audit trails NEED to be established for the following:
1. Network Devices (firewalls, routers, etc.)
2. Operating Systems (UNIX/LINUX, Windows)
3. Applications on these Operating Systems that support the “cardholder environment”
4. Databases that support the cardholder environment where data is written and saved to.
Remember, this is just a starting point and the above four (4) items are MANDATORY in my view, with many other “system components” that could truly be in scope.