Sitemap    Contact Info
Tizor Systems, Inc. - Data Protection and Compliance Auditing Solutions
About Us Solutions Products Services Partners News & Events Resource Center
Resource Center View Mantra
Resource Center Overview
Data Sheets
Whitepapers
On-Demand Events
Compliance Resources
SOX Perspective
The SOX Challenge
Beyond SOX Compliance
SOX 404
IT Controls for SOX
Background: Sarbanes Oxley
PCI Requirements
Data Security Resources
Data Breach Resources
Podcast
Bylines
PCI Requirements

Meeting The Payment Card Industry - PCI 10 Requirements

The Payment Card Industry (PCI) Data Security Standard was developed by American Express, Discover Financial Services, JCB, MasterCard and Visa. It establishes a common framework on how companies handling credit card data should protect that information. PCI security is enforced through annual audits; non-compliant organizations face a broad range of penalties, including large fines.

PCI requirement 10 calls for the tracking and monitoring of all access to network resources and cardholder data. It mandates that companies: 

  • Know where all critical data resides
  • Review audit logs daily
  • Be able to reconstruct a wide range of events associated with cardholder information
  • Maintain detailed audit trails for each event
PCI DSS #10: Track and monitor all access to network resources and cardholder data.
  • 10.1  Establish a process for linking all data access activities (especially those with administrative privileges) to an individual user or system.
  • 10.2  Implement automated audit trails to reconstruct the following events, for all system components:
    • 10.2.1 – All accesses to cardholder data
    • 10.2.2 – All actions taken by any individual with root or administrative privileges
    • 10.2.3 – Access to all audit trails
    • 10.2.4 – Invalid logical access attempts
    • 10.2.5 – Use of identification and authentication mechanisms
    • 10.2.6 – Initialization of the audit logs
    • 10.2.7 – Creation and deletion of system level objects
  • 10.3  Record at least the following audit trail entries for each event:
    • 10.3.1 – User identification
    • 10.3.2 – Type of event
    • 10.3.3 – Date and time
    • 10.3.4 – Success or failure indication
    • 10.3.5 – Origination of event
    • 10.3.6 – Identity or name of affected data, system component, or resource
  • 10.4  Synchronize all critical system clocks and times.
  • 10.5  Secure audit trails so they cannot be altered in any way.
  • 10.6  Review logs for all system components at least daily.
  • 10.7  Retain your audit trail history for a period consistent with its effective use, as well as legal regulations. An audit history usually covers a period of at least one year, with a minimum of three months available online.

Learn more about Tizor's PCI Compliance and Auditing Solutions