PCI

In December 2004, Visa, MasterCard, and other leading credit cards enacted the Payment Card Industry Data Security Standard (PCI Standard). The PCI Standard is a comprehensive, detailed, and recurring program to provide for cardholder security. Its aim is to reduce cardholder fraud, and maintain and enhance the reputation for trust and security of the leading credit card brands.

The PCI Standard applies to all those involved in handling credit card transactions, including banks, merchants and the service providers processing credit card transactions. It incorporates 12 basic requirements designed to secure and protect cardholder data from unauthorized access. Penalties for noncompliance can be significant: for example, companies that experience breaches and are found to be non-compliant can face fines of up to $500,000 per incident, in addition to other restrictions from Visa and MasterCard.

The PCI Standard specifically identifies log management in Point 10 (“Track and Monitor all Access to Network Resources and Cardholder Data” —see sidebar) as an essential tool for the security of cardholder data and cardholder transactions. In addition, merchants and service providers are required to carry out exercises and reports to confirm their compliance with the PCI Standard. Depending on size of the merchant and volume of transactions these activities include independent or internal audits, writing a regular “Report on Compliance”, and a Quarterly Network Scan.

LogLogic’s log management solutions are a powerful resource for compliance with the PCI Standard while enabling merchants and service providers to gain the greatest visibility and security in their networks.

LogLogic solutions Provide Visibility and Control Over Key Compliance Issues:

Alignment of log data collection, reporting, alerting and storage; and, your IT control and risk matrix
Undesired access to financial and confidential records
Rapid remediation of threats
Malicious content that may alter, damage or contribute to theft of sensitive information
Rate-based attacks that can reduce or impede the availability of critical resources and information
Proper auditing, monitoring, logging, and reporting of security events for rapid identification and response to a material event
Forensic analysis of suspicious or material events
Detailed archiving of network logs in legally acceptable and easily managed form

The 12 Points of the PCI Standard

Build and Maintain a Secure Network

1. Install and maintain a firewall configuration to protect data
2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

3. Protect stored data
4. Encrypt transmission of cardholder data and sensitive information across public networks

Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7. Restrict access to data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes

Maintain an Information Security Policy

12. Maintain a policy that addresses information security

Key Resources

7 Habits of Highly Effective PCI Compliance Presentation

More Resources

LogLogic & Compliance

Read more in how log management and intelligence have become best practices in meeting compliance requirements.

LogLogic Live!

Join our weekly webcast featuring a live product demo and Q&A.