What Are the PCI Audit Log Retention Requirements?

Generating an audit trail is integral to compliance with the Payment Card Industry Data Security Standard (PCI DSS), the standard retailers and banks use to protect consumers’ credit card information.

Audit logs, log management, and log retention are all essential parts of PCI DSS requirement 10.7. The standard mandates that audit logs be retained for at least one year. Ninety days of PCI audit logs must also be available for immediate analysis.

So how can a company achieve those compliance demands? This article will answer that question. Let’s begin with the basics.

What Is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a widely recognized (and used) standard to safeguard the personal information of payment card users, and to improve the security of transactions using credit, debit, and cash cards. The four major credit card issuers – Visa, MasterCard, Discover, and American Express – jointly developed and launched PCI DSS in 2004.

The standard has six primary goals.

1. Companies must maintain a secure network. This criterion calls for the deployment of reliable firewalls, without putting consumers or merchants through unnecessary hardship.
2. Cardholder data must be secure. You should store vital information such as birth dates, names, Social Security numbers, phone numbers, and postal addresses in databases that are safe against hacking. The data should be encrypted before being sent over public networks.
3. Use regularly updated antivirus software, anti-spyware tools, and other anti-malware solutions to protect against attackers. Every application should be protected against flaws and security holes that might allow hackers to steal or modify cardholder data.
4. Limit and manage access to system information and processes. Cardholders should only be required to provide data that’s necessary for companies to know to complete a transaction. Each computer user must be given a unique and private identifying name or number.
5. Networks must be continuously monitored and tested, to make sure that all security procedures and measures are in place, maintained, and working effectively.
6. Companies should create, maintain, and abide by a documented information security policy to assure that security and information protection follow a rigorous, thoughtful process that reflects the company’s risks.

What Is a PCI Audit?

The PCI DSS Standard requires that merchants who accept credit card transactions must undergo a routine audit to assure and maintain compliance. Sometimes additional audits may also be required in response to a specific breach or other security failure.

These audits are conducted by auditors specially qualified to assess PCI compliance. They assess whether the company’s internal processes adhere to standard by looking at point-of-sale systems and other components of the company’s IT infrastructure. Companies also receive risk assessments from the assess outlining their PCI level of compliance.

What Is a SIEM?

The SIEM acronym stands for Security Information and Event Management System. It is a system that integrates multiple cybersecurity disciplines such as file integrity monitoring, intrusion detection systems, user activity, data breach detection, and Syslog aggregation.

The SIEM consumes log data from log servers and provides log analysis to establish an audit trail history. In addition, a proper SIEM has alerting configured to help information security professionals find the operating system and user account compromises that may lead to credit card and card data compromise.

An organization’s IT and security infrastructure, including host systems, networks, firewalls, and antivirus security devices, are all sources of event data that a SIEM gathers and aggregates. The program allows security teams to learn more about attackers’ tactics, techniques, and procedures (TTPs), using threat rules generated from knowledge of known Indications Of Compromise (IOCs) and prior TTPs.

Since SIEMs are crucial to generate audit trails for cybersecurity analysis and risk management; and audit trails are a requirement of PCI DSS compliance, a company can’t achieve and maintain its PCI compliance without using some sort of SIEM system.

What are the SIEM PCI Compliance Requirements?

As we mentioned earlier, PCI DSS has six broad goals. Within those six broad goals are 12 more specific requirements.

Goal 1: Creating and keeping a secure network

Requirements:

• Upkeep of firewall configuration
• Verify that all system passwords are distinct and original

Goal 2: Safeguard cardholder data

Requirements:

• Defend stored cardholder information
• Transmit cardholder information across public networks securely

Goal 3: Keep a vulnerability management program going

Requirements:

• Use and update antivirus software.
• Create secure systems and apps

Goal 4: Implement adequate access control procedures

Requirements:

• Limit cardholder information to those who need to know it.
• Give each employee with access to the company’s computers a unique ID
• Limit physical access to cardholder information

Goal 5: Monitor and test networks

Requirements:

• Keep an eye on and record access to cardholder information and appropriate network resources
• Test security procedures and systems regularly

Goal 6: Maintain an information security policy

Requirements:

• Establish an information security policy and implement it within the company

An organization should take the following three actions to comply with the PCI DSS:

• Identification of cardholder data, inventorying technology and business procedures, and vulnerability analysis are all parts of the assessment.
• Fix the vulnerabilities as soon as they are found, and avoid storing unneeded cardholder data.
• Report, record, and deliver compliance and remediation validation reports to the concerned banks and card brands.

Automate PCI Compliance Effortlessly with Reciprocity ZenComply

Regardless of your compliance issues, it would help if you incorporate data security into every aspect of your operations. Our state-of-the-art governance, risk, and compliance management system provides the most accurate PCI assessment tool. Zen continuously scans your networks and methods to assess where you stand concerning PCI DSS compliance requirements, and where you (and your vendors) fall short.

Your business can use ZenComply compliance management, risk management, and workflow management features as a single solution. ZenComply interfaces to a variety of tools with ease, moving data for you and associating controls with all of your compliance requirements, including Payment Card Industry (PCI), Health Insurance Portability and Accountability Act (HIPAA), Security Operations Center (SOC), and others.

ZenComply’s color-coded “single source of truth” dashboards, which update automatically as the framework changes, show how to address compliance gaps at a glance. Additionally, it carries out internal audits with a few clicks as frequently as you wish while looking at the controls surrounding your Cardholder Data Environment (CDE).

Schedule a demo to learn more about how ZenComply can help you to automate, simplify, and manage your compliance needs.