PCI-DSS Audit

PCI-DSS (Payment Card Industry Data Security Standard) was founded by American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc.  Today it has been the most accepted security and compliance standard to reduce credit card fraud, especially for Visa and Mastercard acquiring banks, merchants, and eCommerce sites.

One of the most most frustrating and misunderstood obstacles to compliance for PCI-DSS Audit is to track and monitor all access to network resources and cardholder data (PCI-DSS Chapter 10).  Although monitoring the access should be pretty familiar for everyone, the requirement stated by PCI-DSS might not be simple to comply:

  • Implement audit trails to link all access to system components to each individual user.
    • What if some system components doesn’t have complete audit trails?
    • What if the user is using shared account such as root/administrators?
  • Implement automated audit trails for all system components to reconstruct the events.
    • What if only some of the applications have the complete audit trail, while some others don’t?
    • What if root/administrator stops/pauses the audit logs?
  • Secure audit trails so they cannot be altered.
    • What if root/administrator alter or delete the audit trail?
    • How to segregate the application server and audit trail server?

 

How could ObserveIT help you to survive the PCI-DSS Audit?

  • Implement audit trails to link all access to system components to each individual user.
  • Implement automated audit trails for all system components to reconstruct the events.
    • ObserveIT captures the entire sessions initiated by all users, therefore it can completely reconstruct any incident involving both shared privileged login as well as individual organization’s users.
    • ObserveIT has a watchdog mechanism to resume the auditing even if someone kills the ObserveIT process.
  • Secure audit trails so they cannot be altered.
    • ObserveIT agent immediately sends the audit trail to the database which is away from the observed server, therefore the audit trail can’t be modified by local root in the observed server.

 

How about PCI-DSS 3.0?

PCI-DSS 3.0 requirements are noticeable more strict than the previous PCI-DSS 2.0, it stated that the organization has to implement audit trail for the “Initialization, stopping, or pausing the audit logs (Requirement 10.2.6)” which very difficult if not impossible to be achieved without 3rd party logging tools like ObserveIT in the server.

Ability to track the individual who uses shared/privileged account also becomes mandatory with periodically review to identify anomalies and follow up exceptions has been added into the checklist, making guidelines as well as policies and procedures very complex to be executed without a tool like ObserveIT.

 

Fossa has made ObserveIT available for Indonesian market, and helps companies in Jakarta compliant with international data security standards.  With best practice tool like ObserveIT, comply with PCI-DSS Chapter 10 assessment is becoming almost effortless.  ObserveIT could provide your auditor the information they need in the checklist, and keep the management in your company smile with the compliance certificate they get.

 

Fossa is the Authorized ObserveIT Distributor in Indonesia