PCI DSS Revisited – AKA “Read Between the Lines to Protect Online Shoppers”

If you’re part of the security contingent for a retailer with a significant online presence, you’re likely to know the requirements of the PCI DSS standard all too well.  After all, somebody has to know them, and you drew the shortest straw!  You know that the PCI standard contains 12 requirements, and you know that your company’s reputation could go up in flames in the event of a breach or hack.

Now, zero in on Requirement 10, which is dedicated to the subject of data logging.  Requirement 10.2 covers reconstruction of logs for various security related events like access to card holder data, actions taken by an individual with root level access etc. 10.3 requires detail capture for each event traced to a source. 10.4 requires time syncronization for logged data. 10.5 requires tamper-protection of audit trails. Requirement 10.6 covers review of audit logs at least daily. And finally 10.7 requires log retention for at least a year.  Whether you have your infrastructure on premise or in the cloud, an intelligent analysis of logs can help you be more operationally efficient and more importantly alert you for forthcoming attacks. 

Hackers are attacking easily and effectively on a regular basis without merchants ever finding out that they have been hacked. Just one chilling example:  without proper monitoring of logs and proactive protection of infrastructure, a hacker could change the cost of a $1,000 product to $1.00, purchase the product, and specify shipment to a post office box – all with no alarm to alert IT.

While the PCI DSS standard exists to protect retailers and their online shoppers, it can just as easily tip off a hacker to an unforeseen security risk.  For more chilling reading, see “Nearly 80% of Companies Are Not Properly Protecting Cardholder Data,” at http://www.loglogic.com/blog/nearly-80-companies-are-not-properly-protecting-cardholder-data.

Remember, judicious log management is the key.  Bottom line:  take precautions now to ensure that you are in compliance with the logging requirements of PCI DSS.  Hint: don’t assume that a passing grade on a PCI DSS audit means that it really is!