PCI DSS Requirement 10.6 - Log Data Collection

As you likely know by now, the PCI DSS 3.0 standard went into effect on January 1, 2014. You have until January 1, 2015 to move to the new standard. While many of the changes in the PCI DSS 3.0 requirements are clarifications, there are several new requirements that could take you some time to address. If you’d like a quick overview of significant changes, read our previous blog article on What’s New in PCI DSS 3.0 An interesting clarification to a requirement that affects everyone using Alert Logic Log Manager (as well as any merchant collecting log data) is Requirement 10.6: Review logs and security events for all system components to identify anomalies or suspicious activity. The requirement hasn’t really changed as much as it’s been clarified to be much more explicit about what log data needs to be collected and the actions that need to be taken on those log files. For example, here’s the listing for Requirement 10.6 from the PCI DSS 2.0 requirements document: PCI DSS 2.0 Req 10.6 Now, here’s a view of one of the sub-requirements of 10.6 from the PCI DSS 3.0 requirements document: PCI DSS 3.0 Req 10.6So with PCI DSS 3.0, you’re being asked to collect and monitor more information than previously stated in the PCI DSS requirements. Here are a few thoughts on what that really means to you:

  • First, this change gives you a great motivator to review your current log data collection and management processes. You might identify some critical data sources that you’re missing or you might discover that you have everything already covered.
  • It’s also a great opportunity to make sure you have all your log data sources properly configured. In other words, it’s not sufficient just to collect the data; you must also make sure you’re sending that information to your logging tool in the appropriate way. If you’d like a few hints, download our Configuring Log Sources for Best Practice Reporting white paper.
  • Finally, if you determine that your organization doesn’t have the time or resources to manage logs, consider outsourcing it. Our Log Review service service is an affordable option for organizations that need to perform daily log reviews, but don’t have the time or resources to do so.

What are your thoughts on log data collection and PCI DSS 3.0? Will it be a major change for your organization or a small adjustment? Let us know by using the Comments box below. Note: You can download detailed PCI DSS requirements documents from https://www.pcisecuritystandards.org/security_standards/documents.php.