What Is PCI DSS Requirement 10?

Requirement 10 involves tracking all access to cardholder data and related system resources. This means having robust activity logs that provide ample details regarding:

• Who:The specific user who performed each action
• What:The action that took place and the data that was accessed
• Where:The entry point to the system and all network resources used
• When:The date and time of each related action
• How:The method of access to the overall system and individual components, including databases and devices

Put simply, your goal is to manage your data flow carefully and securely. To do this, you have to create an in-depth audit trail.

Why Is PCI DSS Requirement 10 Important?

There are four main reasons why every organization that falls under PCI DSS rules must implement Requirement 10 fully:

1. Essential for PCI compliance:To stay PCI DSS-compliant and continue processing credit card transactions and online payments, your business must have tracking and auditing systems in place.
2. Smart for data security:This monitoring framework follows data security best practices, so implementing it helps your company in all areas of information storage, including proprietary records.
3. Invaluable for security breaches:When you have excellent tracking and auditing features, you can identify security breaches faster and choose effective actions to correct the problem.
4. Vital for stronger defenses:You can use what you learn from logs to make changes to how your employees access data, shoring up weaknesses and preventing intrusions.

Following PCI DSS Requirement 10 to the best of your ability can prevent catastrophic damage to your business’s operations and reputation. By detecting minor security violations ASAP, your information security personnel can correct issues before they turn into full-blown data breaches that leak cardholder payment information.

How Can Your Business Implement Requirement 10?

Staying up to date with PCI DSS is important, and your business can refer to the in-depthreference guideprovided by the PCI Security Standards Council for detailed information. We’ve summarized some key goals that help you keep your operations running smoothly and securely.

Create Audit Logs on a Per-User Basis

The first step is to use an organizational data system that offers audit tools. To be effective, this system must track the actions of each user individually rather than in groups.

For example, if your organization has documents that go to the category “site managers,” every member should have a personal user ID, such as “John Jones” or “User29987.” That way, in case of an internal breach, you know which employee’s access credentials were misused.

Design Automatic Audits and Alerts for Suspicious Activities

Malicious users often take several types of actions to attempt to gain access to protected data. By setting up your system to alert the chief information security officer immediately when these events happen, you can stop breaches in progress or minimize the damage.

To be PCI DSS Requirement 10-compliant, you must log all suspicious and sensitive actions:

• Actions by users who have administrative privileges
• Access to cardholder data
• Access to audit trails, audit settings and tracking logs
• Failed login attempts
• Changes to authentication or security settings
• Creation of new processes
• Removal of system objects

Hackers try to eliminate the record of their activities by changing, adding to or deleting audit logs and workflow objects, but alerts allow a CISO to manage the system quickly and efficiently.

Understand What Information To Track

At Compyl, we work with clients to personalizedata workflow systems. This makes a huge difference because every organization has different needs related to PCI DSS compliance and data tracking. At the very least, track the following information:

• User name
• Data and time
• Type of event/action (for example, login attempt)
• Source of event (for example, the IP address of the login attempt)
• Success or failure details (including the number of unsuccessful attempts)
• Description of the area, item or information accessed

All of this information is exceptionally valuable if a breach occurs.

Protect Your Audit Trails

Create rules that prevent unauthorized users from even getting close to audit data or settings. For example, limit viewing of audit trails to high-level administrators only, such as the CISO.

PCI DSS Requirement 10 recommends compartmentalization for log storage. For example, you can back up audit logs in a discrete network with unique access controls. Software that tracks changes to critical files can also help raise red flags quickly in the event of an attack.

Schedule Frequent Reviews of Tracking Data

The more time passes without reviewing process security, the greater the risks of undetected intrusions. Ignorance isn’t bliss when it comes to data security.

Generally speaking, the CISO should monitor audit logs daily. This review should check critical parts of the data flow, security alerts and any areas that process secure cardholder information.

Store Audit Trails for at Least One Year

Businesses don’t always realize a hack has occurred until afterward. Having audit trails is vital to determine what happened, whose data was impacted and how to patch the vulnerability.

Track Performance of Critical Security Systems and User Access Controls

Service businesses often face situations where personnel need to enter cardholder data on site or offline. Does each contractor follow good physical security practices, such as using a lock screen and PIN for the device?

Does your chosen platform remain secure when offline? Do you have a way to track log-in behaviors, mobile device security updates, firewall settings and antivirus protections?

Be proactive when it comes to device management. Select a tracking platform that automatically uploads logs when offline devices enter the network.