Support
 
Support Get Quote
 
 
 
 

Compliance to PCI DSS Requirements

Comply to PCI DSS Requirements with EventLog Analyzer's Predefined Reports

PCI DSS Requirements and how to meet them with EventLog Analyzer

In addition to Requirement 10 of PCI DSS, EventLog Analyzer also houses reports that cater to most other requirements. With an easily-comprehendible interface and unparalleled log-sweeping capabilities, EventLog Analyzer's compliance reports make PCI DSS compliance possible within a few clicks.

  • PCI DSS Requirement 3 - Protect Stored Cardholder Data
  • PCI DSS Requirement 7 - Restrict access to cardholder data by business need-to-know.
    • PCI DSS Requirement 7.1 - Limit access to computing resources and cardholder information only to those individuals whose job requires such access.
    • PCI DSS Requirement 7.2 - Establish a mechanism for systems with multiple users that restricts access based on a user's need to know and is set to "deny all" unless specifically allowed.
  • PCI DSS Requirement 8 - Assign a unique ID to each person with computer access.
    • PCI DSS Requiremnt 8.5.1 - Control addition, deletion, and modification of user IDs, credentials, and other identifier objects.
    • PCI DSS Requiremnt 8.5.8 - Do not use group, shared, or generic accounts and passwords.
    • PCI DSS Requiremnt 8.5.13 - Limit repeated access attempts by locking out the user ID after not more than six attempts.
    • PCI DSS Requiremnt 8.5.16 - Authenticate all access to any database containing cardholder data. This includes access by applications, administrators, and all other users.
  • PCI DSS Requirement 11.1 - Test security controls, limitations, network connections, and restrictions annually to assure the ability to adequately identify and to stop any unauthorized access attempts. Use a wireless analyzer at least quarterly to identify all wireless devices in use.
  • PCI DSS Requirement 12 - Maintain a policy that addresses information security for employees and contractors.
    • PCI DSS Requiremnt 12.2 - Develop daily operational security procedures that are consistent with requirements in this specification (for example, user account maintenance procedures, and log review procedures).

PCI DSS Requirement 3:

Protect Stored Cardholder Data

What Needs To Be Done?

Cardholder Data is the holy grail of PCI DSS. Encryption is a critical component of cardholder data protection. If an intruder circumvents other network security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person. Other effective methods of protecting stored data should be considered as potential risk mitigation opportunities. For example, methods for minimizing risk include not storing cardholder data unless absolutely necessary, truncating cardholder data if full PAN is not needed, and not sending PAN in unencrypted e-mails.

 

PCI DSS Requirement 3.5.1:

What Is It?

Restrict access to (encryption) keys to the fewest number of custodians necessary.

What Needs To Be Done?

The first stage of protecting cardholder data is to have then encrypted, thereby rendering the data unusable unless the interceptor has the keys to decrypt it. The second stage is to restrict the access to the encryption keys. This will ensure that not everyone can decrypt the cardholder data, and this will considerably reduce the risks of subjecting cardholder data to criminal usage, as the keys to decrypt the data will no longer be accessible.

How It Is Done:

The straightforward method to achieve compliance to this requirement is to restrict the access to the encryption keys, and this can be done be the usual access control methods.

To prove compliance to this requirement, EventLog Analyzer presents The Report on Object Access shows the complete list of users who have accessed the objects on the network, with details like the username and the timestamp, along with the object access details This report can be filtered to show information on the accesses to encryption keys. With this information, it is easy to arrive at the list of all users who have access to the encryption keys: an information manadated by PCI DSS Requirement 3.5.1

PCI DSS Requirement 7:

Restrict access to cardholder data by business need-to-know.

What Needs To Be Done?

Sensitive resources like cardholder data and PAN numbers are housed in networks that handle a vast number of users and other objects. In such networks, security threats are directly proportional to the size. Therefore it becomes imperative on the part of the organization to restrict accesses to cardholder data. Also, to make it more systematic, PCI DSS also mandates that access to cardholder data can be allowed only on a business-level need-to-know. This will ensure that no unauthorized users access the network. This also takes care that even authorized personnel access the data only per business requirements.

 

This requirement branches in to two sub-sections to fulfill the above purpose:

PCI DSS Requirement 7.1:

What Is It?

Limit access to computing resources and cardholder information only to those individuals whose job requires such access.

What Needs To Be Done?

This requirement emphasizes the need to restrict access to cardholder data and also the computing resources to only those with job-related requirement. One implication of this requirement is that the access need not be on the basis of the user-privilege on the network, but independent of the user-type. This will also mean that not every administrative user will have access to cardholder data. This will serve to protect sensitive information from being accessed by unauthorized users.

How It Is Done:

The needful measures to restrict access to sensitive areas of the network can be effected by using simple access control methods. However, to prove the effectiveness of these methods, it takes an extra step.

EventLog Analyzer presents four reports that can help you establish your organization's compliance to PCI DSS Requirement 7.1:

  • Report on Successful User Logons gives information on the users who were able to successfully able to log in to the network. Drilling down on the logon information will give more granular details like time stamp and resources. This data can establish that no user without sufficient privileges or job-requirement accessed sensitive resources of the network.
  • Report on Successful Logoffs takes care of the opposite end of the logon section. Using this report, it can be proved that no user stayed for unusually long time stretches and also that every user who logged in has logged off from the network.
  • Reports on Logon Attempts will show that users who, without suitable credentials, tried logging in to sensitive resources of the network, were denied access to the resources.
  • Reports on Audit Policy Changes will help validate any new entry in the logon reports. For example, if a new user has logged in to the network, Audit Policy Changes can show the particular policy change that enabled the user to access a sensitive resource.

PCI DSS Requirement 7.2:

What Is It?

Establish a mechanism for systems with multiple users that restricts access based on a user's need to know and is set to "deny all" unless specifically allowed.

What Needs To Be Done?

This requirement is of vital importance when it comes to multiple users accessing the same system. In this case, the privileges have to be user-specific and not system-specific. This will ensure that, irrespective of the system in which the users are logged in to, only the users who have the sufficient privileges can access the resources. This requirement also mandates not defaulting any user in to accessing sensitive areas of the network. This is important so that no newly created user is defaulted in to accessing all the network resources.

How It Is Done:

As in every case, the permissions for each user can be configured using the access control lists. To prove the effectiveness of these access control measures and in turn, to establish compliance to PCI DSS Requirement 7.2, Eventlog Analyzer presents two reports:

  • The Successful User Logon Report shows that only the users who have proper credentials and the business-requirement have logged in to access the secure areas of the network.
  • Reports on Logon Attempts will show that users who, without suitable credentials, tried logging in to sensitive resources of the network, were denied access to the resources.

PCI DSS Requirement 8:

Assign a unique ID to each person with computer access.

What Needs To Be Done?

This requirement of PCI DSS demands a unique identifier to be assigned to each person who has access to the network computers. Though this requirement might seem basic and taken-for-granted, it has profound repercussions on network security. Only if a unique identifier exists for each user with computer access, each action performed using the credentials can be back-tracked to the user. This will help trace causes of security-breaches to the point-blank range.

Requirement 8.5 specifically talks about using proper user-authentication and password mechanisms. This Requirement is further divided in to sub-sections and each one plays a part in achieving the end-goal of being able to uniquely identify users.

PCI DSS Requirement 8.5.1:

What Is It?

Control addition, deletion, and modification of user IDs, credentials, and other identifier objects.

What Needs To Be Done?

User-Authentication and Security of Login Credentials have a direct impact on cardholder data security. Securing user-access and security of login credentials will greatly enhance the security of cardholder data. Therefore it is important to keep a tab on user-administration activities. For this reason, PCI DSS manadates that there should be complete control over addition and modification of user ids and any other identifier object.

How It Is Done:

Even outside PCI DSS Point of view, it is import to have controls over creation and modification of users. These controls can be effecting by defining the powers of each users using standard access control methods. To establish compliance to PCI DSS, it is important to prove that the access controls methods are effective

EventLog Analyzer comes pre-loaded with Change Audit Reports that will help in this respect. Using EventLog Analyzer's Change Audit Reports, the exact policy changes can be traced. This can help track the effect of each policy change - the users or the roles that were authorized to perform modifications on the user IDs can be identified. This data can help establish compliance to PCI DSS.

PCI DSS Requirement 8.5.8:

What Is It?

Do not use group, shared, or generic accounts and passwords.

What Needs To Be Done?

The implications of this requirement are too obvious: Using group, shared or generic accounts and passwords defeats the entire purpose of assigning a unique user ID, and therefore the actions performed using generic credentials cannot be traced to a single user. Hence, from a security perspective, it is of utmost importance to comply to this PCI-DSS Requirement.

How It Is Done:

The only way to prove that your organization is compliant to the above-mentioned requirement is to list out all the user-names with accesses to network resources, and prove that there's no generic name in the list.

EventLog Analyzer with itsSuccessful Logon Reports will help prove your compliance to this requirement. Using EventLog Analyzer's Successful Logon Reports, all the users who successfully logged in to the network can be obtained. Using the user-names in the list, it can be proved that no generic names were used to log-in to the system or the network.

PCI DSS Requirement 8.5.13:

What Is It?

Limit repeated access attempts by locking out the user ID after not more than six attempts.

What Needs To Be Done?

Access to cardholder data and other sensitive resources cannot be left to chance; this requirement of PCI DSS seals such loop holes. Per this requirement, to achieve compliance, it is mandated that a user-id cannot attempt a log on with not more than six unsuccessful attempts. With this requirement in place, any unauthorized user who tries to access a restricted resource by guessing the password cannot continue the game for infinitesimal attempts.

How It Is Done:

The primary method to enforce this measure would be to enforce strong password policies and define the number of unsuccessful logon attempts before the user is denied access in to the resource he's trying to access.

EventLog Analyzer with its Successful Logon Reports will help prove your compliance to this requirement. Using EventLog Analyzer's Successful Logon Reports, all the users who successfully logged in to the network can be obtained. Using the user-names in the list, it can be proved that no generic names were used to log-in to the system or the network.

PCI DSS Requirement 8.5.16:

What Is It?

Authenticate all access to any database containing cardholder data. This includes access by applications, administrators, and all other users.

What Needs To Be Done?

With this requirement in place, it is impossible to circumvent the authentication process when accessing resources through some application. This will also ensure that there's no default authentication in to the sensitive areas of the network, even through applications or other consoles. Additionally, this also forbids an administrator from having blanket credentials that allow blind access to all the network resources.

How It Is Done:

The initial authentication mechanisms have to be configured in such a way that there's no possibility to beat the straight way using an authenticating interface.

EventLog Analyzer presents two reports that can prove compliance to this Requirement.

Successful Logon Reports will help prove your compliance to this requirement. Using EventLog Analyzer's Successful Logon Reports, all the users who successfully logged in to the network can be obtained. This will ensure that there was no unauthenticated entry in to the critical resources of the network.

The Report on Individual Actions will list out all the activities of all the users on the network, by user. Using the data obtained from this report, the administrator can find out the areas accessed by that particular user. Coupling the data from this report with the former, compliance to PCI DSS Requirement 8.5.16 can be established.

PCI DSS Requirement 11.1:

What Is It?

Test security controls, limitations, network connections, and restrictions annually to assure the ability to adequately identify and to stop any unauthorized access attempts. Use a wireless analyzer at least quarterly to identify all wireless devices in use.

What Needs To Be Done?

This requirement talks about testing security measures on an annual bases, so the security devices are up to date, if not advanced, to thwart the ever-evolving attacks by brute forces that attempt to access classified data. This requirement also demands testing wireless devices in use, on a quarterly basis, as vulnerabilities are higher for wireless devices.

How It Is Done:

The only way to establish compliance to this section of PCI DSS is to manually test the securities of all the connections and controls.

EventLog Analyzer presents three reports that can help you establish your organization's compliance to PCI DSS Requirement 11.1:

  • Report on Successful User Logons gives information on the users who will be able to successfully able to log in to the network. This information takes care to identify authorized users.
  • Report on Object Access shows the same data from an objects' perspective - this will ensure that no object was subjected to unauthorized or malicious access.
  • Reports on Logon Attempts will show that users who, without suitable credentials, tried logging in to sensitive resources of the network, were denied access to the resources. A user trying to unsuccessfully access a resource is the most superficial sign of a security-threat.

PCI DSS Requirement 12:

Maintain a policy that addresses information security for employees and contractors.

What Needs To Be Done?

Requirement 12 of PCI DSS is the icing for all the above requirements - per this requirement, there has to be a security policy place that addresses information security for employees and contractors alike. This requirement serves to have a constitution that will address the breaching of thee protocol by employees and contractors. This requirement is the precursor to all the above requirements, as this is the one that will give the various policies that govern information security.

This requirement is further divided in to a few sub-requirements:

PCI DSS Requirement 12.2:

What Is It?

Develop daily operational security procedures that are consistent with requirements in this specification (for example, user account maintenance procedures, and log review procedures)

What Needs To Be Done?

Requirement 12.2 makes PCI DSS compliance more as an everyday affair and not as a specific activity. Compliance to this requirement would mean that all procedures that will help establish compliance to PCI DSS that are in place will help in organizational and information security.

How It Is Done:

The only way to establish compliance to this section of PCI DSS is to manually test the securities of all the connections and controls.

 

EventLog Analyzer presents three reports that can help you establish your organization's compliance to PCI DSS Requirement 112.2:

  • Report on Successful User Logons gives information on the users who will be able to successfully able to log in to the network. This information takes care to identify authorized users.
  • Report on Object Access shows the same data from an objects' perspective - this will ensure that no object was subjected to unauthorized or malicious access.
  • Reports on Logon Attempts will show that users who, without suitable credentials, tried logging in to sensitive resources of the network, were denied access to the resources. A user trying to unsuccessfully access a resource is the most superficial sign of a security-threat.

EventLog Analyzer's Reports are created with your organization's PCI DSS Requirements in mind. With these many reports in place, it is now a child's play to establish your organization's compliance to PCI DSS. EventLog Analyzer also provides reporting solutions for various Government Regulatory Acts like SOX, HIPAA, FISMA and GLBA too!

Complying with PCI DSS made easy like never before.

  Download a free trial now!  Request demo

EventLog Analyzer Trusted By

Los Alamos National Bank Michigan State University
Panasonic Comcast
Oklahoma State University IBM
Accenture Bank of America
Infosys
Ernst Young

Customer Speaks

  • Credit Union of Denver has been using EventLog Analyzer for more than four years for our internal user activity monitoring. EventLog Analyzer provides great value as a network forensic tool and for regulatory due diligence. This product can rapidly be scaled to meet our dynamic business needs.
    Benjamin Shumaker
    Vice President of IT / ISO
    Credit Union of Denver
  • The best thing, I like about the application, is the well structured GUI and the automated reports. This is a great help for network engineers to monitor all the devices in a single dashboard. The canned reports are a clever piece of work.
    Joseph Graziano, MCSE CCA VCP
    Senior Network Engineer
    Citadel
  • EventLog Analyzer has been a good event log reporting and alerting solution for our information technology needs. It minimizes the amount of time we spent on filtering through event logs and provides almost near real-time notification of administratively defined alerts.
    Joseph E. Veretto
    Operations Review Specialist
    Office of Information System
    Florida Department of Transportation
  • Windows Event logs and device Syslogs are a real time synopsis of what is happening on a computer or network. EventLog Analyzer is an economical, functional and easy-to-utilize tool that allows me to know what is going on in the network by pushing alerts and reports, both in real time and scheduled. It is a premium software Intrusion Detection System application.
    Jim Lloyd
    Information Systems Manager
    First Mountain Bank

Awards and Recognitions

  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
A Single Pane of Glass for Comprehensive Log Management