In addition to requirements specifying the security controls you apply to the systems and networks handling credit card transactions, the Payment Card Industry Data Security Standard (PCI DSS) also requires that you regularly monitor and test those controls. This includes specifications for logging, monitoring and penetration testing.
One of the most burdensome requirements of PCI DSS is the requirement that you establish a process for logging a great deal of activity, tying activity records to individual users and storing those logs for future reference. Organizations approaching PCI DSS for the first time typically find large gaps between their current practices in this area and the PCI DSS requirements. For example, the standard requires that you log:
- All access to cardholder data
- All actions taken by an administrator
- All access to logs
- All invalid login attempts
- All identification and authentication mechanisms
- All creations or deletions of system-level objects
That's a lot of activity. For each of those events, you need to store:
- User name
- Event type
- Success/failure status
- Origination of event
- Identity of affected system/resource/data
And, to top it all off, you need to retain this data for at least a year, with three months available immediately for online access. You'll also need
It's not sufficient to simply store voluminous log records: you also must review those logs on at least a daily basis to identify any suspicious activity. PCI requires that you perform these daily reviews for any logs of security-related systems along with authentication, authorization and accounting servers. This is where automation is your friend. It's virtually impossible to perform these reviews without the assistance of log monitoring tools (at the very least) or a security incident monitoring (SIM) system at best.
In addition to monitoring your logs, PCI DSS requires that you place intrusion detection and/or prevention systems on your network in position(s) where they can monitor all traffic within your cardholder data environment. The IDS/IPS must be configured to alert security personnel to any suspicious traffic and to receive regular signature updates. It's a good idea to configure these systems to alert whenever they detect cleartext credit card numbers on the network. You can do this by using credit card regular expressions.
Finally, you must deploy file integrity monitoring software on your systems to identify any unauthorized modifications of critical files on at least a weekly basis. The most well-known solution in this space is the Tripwire file integrity monitoring software, but you also may wish to investigate alternatives, such as Solidcore.
TESTING SECURITY CONTROLS
PCI DSS requires that you conduct regular testing of your security controls as well. There are three main requirements in this area:
- You must scan your airspace for any rogue wireless access points using a wireless analyzer at least quarterly. Alternatively, you may deploy a wireless IDS/IPS that is capable of detecting unauthorized wireless devices and alerting security personnel to their presence.
- You must conduct both internal and external vulnerability scans on at least a quarterly basis and after any significant network change. The quarterly external scans must be conducted by an Approved Scanning Vendor while the other scans may be performed by your staff.
- You must perform both internal and external penetration testing annually or after any significant change to infrastructure or applications. It's usually a good idea (although not a requirement) that you use an external vendor for these tests to ensure impartiality and have a fresh set of eyes reviewing your security controls.
Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a contributor to SearchMidmarketSecurity.com, a technical editor for Information Security magazine and the author of several information security titles, including the "CISSP Prep Guide" and "Information Security Illuminated."
Send comments on this technical tip firstname.lastname@example.org.
This was first published in September 2009