The Equifax data breach, revealed to the public in September 2017, resulted in the exposure of sensitive data of more than 140 million people. This resulted in focused discussion on what, if anything, was currently being done to protect consumer data, and what would be required of organizations going forward to prevent future security breaches.
So with this in mind, if your business or organization accepts credit card payments in any form (and it probably does), it might make sense for a refresher on PCI compliance standards set forth by the PCI security council.
The PCI security standards council is a consortium of the five largest credit card providers, who together developed a set of requirements to be adhered to in order to be allowed to process credit card payments. If, in the case of a security breach or the course of an audit, an organization is found to be non-compliant, a variety of penalties may be incurred, including fines, loss of consumer business and the “termination of the ability to accept payment cards”. Yeesh, that’s no joke.
But complying with PCI rules is not all doom and gloom. In fact, many of the network management requirements are either common sense (e.g. Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters) or things you should already de facto be doing in the course of managing your network, such as setting up a firewall to protect data.
However, some of the standards become a bit more involved, specifically those requiring the regular testing and monitoring of networks. This means you must be both actively monitoring your network for security threats, as well as keeping a detailed record of all activity in your network related to system components that handle user credit card data.
The bad news is, that if you don’t have a log management tool in place, you’re already non-compliant. The good news is, Nagios Log Server was designed to help you meet a number of stipulations in the PCI standards. Here are three ways that a log monitoring tool like Nagios Log Server is crucial for achieving PCI compliance:
Does the Data Organization for You
It is crucial to keep a detailed record of all logs from system components that handle sensitive card holder information; this includes user identification, date and time, origination of event as well as a success or failure indication, as well as other information. Nagios Log Server parses incoming log data from any source you link to it, and separates it into tagged information, including those required by PCI standards. These associated tags can easily be searched so that critical network events can easily be searched for and identified.
Alerts you to Critical Events
PCI standards require that specific types of network events be carefully tracked, as they can often be an indication of a compromised system. Some examples include tampering of the audit logs, any actions taken by users with root or administration privileges, invalid logical access attempts, or any individual user accesses to cardholder data. Nagios Log Server allows you to graph the frequencies of specific network events. It also allows you to set alerts on suspicious network activity so that when it occurs, you can be immediately notified.
Keeps the Receipts
You’re required to keep audit records of log data for at least a year, as well as have three months of log data immediately available for analysis. But that’s easier than it sounds. Log Server can automatically store, catalogue and provide failover back-ups for all log data. If in the case you end up needing to access any of your past log data, it is easily searched for and retrieved.
We encourage you to take a closer look at all the PCI compliance requirements, and see where you and your team are meeting expectations as well as opportunities for improvement. While meeting PCI standards may seem daunting, there are lots of helpful tools and resources to help you achieve your compliance goals!
You can download a free trial of Nagios Log Server here