TABLE OF CONTENTS
- Requirement 10: Track and monitor all access to network resources and cardholder data
- Requirement 11: Regularly test security systems and processes
Physical and wireless networks are the connections between all endpoints and servers in the payment infrastructure. Vulnerabilities within this infrastructure allow opportunities for criminals to gain unauthorized access to payment card applications and customer card data. To prevent this, organizations must have a regular monitoring and network testing procedure.
Requirement 10: Track and monitor all access to network resources and cardholder data
Tracking user activities with logging mechanisms are essential for effective forensic and vulnerability management. The presence of logs allow tracking and analysis if there are issues. Logs also allow for faster tracking and determining of the compromised area for corrections
What's involved in this compliance
- Implement audit trails to link all access to system components to each individual user.
- Implemented automated audit trails on all the following systems:
- All individual user accesses to customer data
- all actions taken by any individual with root or administrative privileges
- Access to audit trails
- Invalid logical access attempts
- Use of and changes to identifications and authentication systems
- All add/delete/modification to accounts with root or administrative privileges
- Starting/Stopping/Pausing of audit logs
- Creation/Deletion of system-level objects
- Record Audit trail entries for all events including the following:
- User Identification
- Type of event
- Date and Time
- Success or Failure indication
- Origination of the event
- Identity or name of the affected resource
- Using time synchronization technology to ensure all critical are synchronized
- Secure audit trails to prevent alteration
- Review logs and security events for all systems to identify anomalies.
- Perform critical reviews daily
- Retain audit trail history for at least 1 year
- 3 months of history must always be available for immediate review
- Service providers must implement a process for timely detection and reporting of failures or critical control systems
- Ensure that related policies are documented.
Requirement 11: Regularly test security systems and processes
Vulnerabilities are introduced through new software implementation by malicious individuals and researchers. System components should frequently be tested to ensure security is maintained. testing of security controls are essential for any environmental changes such as deployment of new software or configuration changes. Severity levels for vulnerability testing. Scans should always come up with a vulnerability score that is as low as possible.
What's involved in this compliance?
- Set up testing procedures for wireless access points and detect/identify all authorized and unauthorized access. Maintain an inventory of authorized wireless access points and implement response procedures for unauthorized access detection.
- Run internal/external network vulnerability scans at minimum quarterly and after significant changes to the network. Address vulnerabilities and perform rescans as needed until a passing score can be achieved.
- After a successful scan for PCI DSS, an entity must, in subsequent years pass for consecutive quarterly scans.
- Quarterly scan must be performed by Approved Scanning Vendors.
- Scans conducted after network changes and internal scans can be performed by internal staff.
- Develop and implement penetration testing methods that include external and internal.
- Penetration testing must be performed at minimum annually and after significant network changes.
- If segmentation is used then testing will need be to be performed annually to ensure segmentation is operation and effective.
- Service providers that provide segmentations will have to perform penetration tests every 6 months and after changes.
- Use network intrusion detection/prevention to detect or prevent intrusion within the network.
- All traffic should be monitored at the perimeter of card holder data and critical points.
- Alert personnel to suspected compromises
- IDS/IPS modules must be kept up to date
- Deploy a change detection mechanism to alert personnel of unauthorized charges to the following:
- Critical system files
- Configuration Files
- Content files.
- Ensure that related policies are documented.
Additional Resources and Help!
Still have questions? Please contact us any time at support@ezsoftpos.com.
NOTE: If emailing, please include your business name in the subject line of the email
and provide your preferred contact information for the best response time.
Visit our help center Help Center for more guides and tutorials