PCI 10:

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search

Requirement 10: Track and monitor all access to network resources and cardholder data.


  • Logging mechanisms and the ability to track user activities are critical. The presence of logs in all environments allows thorough tracking and analysis when something does go wrong. Determining the cause of a compromise is very difficult without system activity logs.




PCI-10.1 Establish a process for linking all access to system components (especially those done with administrative privileges such as root) to an individual user.




PCI-10.2 Implement automated audit trails to reconstruct the following events, for all system components:


PCI-10.2.1 All individual user accesses to cardholder data.


PCI-10.2.2 All actions taken by any individual with root or administrative privileges.


PCI-10.2.3 Access to all audit trails.


PCI-10.2.4 Invalid logical access attempts.


PCI-10.2.5 Use of identification and authentication mechanisms.


PCI-10.2.6 Initialization of the audit logs.


PCI-10.2.7 Creation and deletion of system-level objects.




PCI-10.3 Record at least the following audit trail entries for each event, for all system components:


PCI-10.3.1 User identification.


PCI-10.3.2 Type of event.


PCI-10.3.3 Date and time.


PCI-10.3.4 Success or failure indication.


PCI-10.3.5 Origination of event.


PCI-10.3.6 Identity or name of affected data, system component, or resource.




PCI-10.4 Synchronize all critical system clocks and times.




PCI-10.5 Secure audit trails so they cannot be altered, including the following:


PCI-10.5.1 Limit viewing of audit trails to those with a job-related need.


PCI-10.5.2 Protect audit trail files from unauthorized modifications.


PCI-10.5.3 Promptly back-up audit trail files to a centralized log server or media that is difficult to alter.


PCI-10.5.4 Copy logs for wireless networks onto a log server on the internal LAN.


PCI-10.5.5 Use file integrity monitoring/change detection software (such a Tripwire) on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert).




PCI-10.6 Review logs for all system components at least daily. Log reviews should include those servers that perform security functions like IDS and authentication (AAA) servers (e.g RADIUS).




PCI-10.7 Retain your audit trail history for a period that is consistent with its effective use, as well as legal regulations.


  • An audit history usually covers a period of at least one year, with a minimum of 3 months available online.



--Mdpeters 11:27, 7 July 2006 (EDT)