Problem solve Get help with specific problems with your technologies, process and projects.

PCI DSS requirement: Monitoring and testing security

The fifth focus area of PCI-DSS requires regular monitoring of systems and activity, as well regular testing of controls.

In addition to requirements specifying the security controls you apply to the systems and networks handling credit...

card transactions, the Payment Card Industry Data Security Standard (PCI DSS) also requires that you regularly monitor and test those controls. This includes specifications for logging, monitoring and penetration testing.

One of the most burdensome requirements of PCI DSS is the requirement that you establish a process for logging a great deal of activity, tying activity records to individual users and storing those logs for future reference. Organizations approaching PCI DSS for the first time typically find large gaps between their current practices in this area and the PCI DSS requirements. For example, the standard requires that you log:

  • All access to cardholder data
  • All actions taken by an administrator
  • All access to logs
  • All invalid login attempts
  • All identification and authentication mechanisms
  • All creations or deletions of system-level objects

That's a lot of activity. For each of those events, you need to store:

  • User name
  • Event type
  • Timestamp
  • Success/failure status
  • Origination of event
  • Identity of affected system/resource/data

And, to top it all off, you need to retain this data for at least a year, with three months available immediately for online access. You'll also need to take steps to limit log access to those with a legitimate business need, back up your log entries to a centralized server and synchronize your system clocks to ensure consistent timestamps.

More PCI DSS resources
PCI DSS requirement: Implement strong access control procedures: The fourth focus area of PCI DSS governs how organizations enable and restrict access to cardholder data and limit physical access to cardholder data.
PCI DSS requirement: Maintaining a vulnerability management program: The third PCI DSS focus area requires antivirus software, secure coding practices, patch management and change control processes be in place.
PCI DSS requirement: Protect cardholder data: The second PCI DSS focus area spells out how organizations must secure cardholder data they store and transmit.

It's not sufficient to simply store voluminous log records: you also must review those logs on at least a daily basis to identify any suspicious activity. PCI requires that you perform these daily reviews for any logs of security-related systems along with authentication, authorization and accounting servers. This is where automation is your friend. It's virtually impossible to perform these reviews without the assistance of log monitoring tools (at the very least) or a security incident monitoring (SIM) system at best.

In addition to monitoring your logs, PCI DSS requires that you place intrusion detection and/or prevention systems on your network in position(s) where they can monitor all traffic within your cardholder data environment. The IDS/IPS must be configured to alert security personnel to any suspicious traffic and to receive regular signature updates. It's a good idea to configure these systems to alert whenever they detect cleartext credit card numbers on the network. You can do this by using credit card regular expressions.

Finally, you must deploy file integrity monitoring software on your systems to identify any unauthorized modifications of critical files on at least a weekly basis. The most well-known solution in this space is the Tripwire file integrity monitoring software, but you also may wish to investigate alternatives, such as Solidcore.

PCI DSS requires that you conduct regular testing of your security controls as well. There are three main requirements in this area:

  • You must scan your airspace for any rogue wireless access points using a wireless analyzer at least quarterly. Alternatively, you may deploy a wireless IDS/IPS that is capable of detecting unauthorized wireless devices and alerting security personnel to their presence.
  • You must conduct both internal and external vulnerability scans on at least a quarterly basis and after any significant network change. The quarterly external scans must be conducted by an Approved Scanning Vendor while the other scans may be performed by your staff.
  • You must perform both internal and external penetration testing annually or after any significant change to infrastructure or applications. It's usually a good idea (although not a requirement) that you use an external vendor for these tests to ensure impartiality and have a fresh set of eyes reviewing your security controls.

Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a contributor to, a technical editor for Information Security magazine and the author of several information security titles, including the "CISSP Prep Guide" and "Information Security Illuminated."

Send comments on this technical tip

Join our IT Knowledge Exchange discussion forum; please use the midmarket security tag.

Dig Deeper on Audit and compliance planning

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.