Solutions The best route to security compliance
Platform A powerful suite of ISMS features
Resources Everything you need to know
Knowledge Base Learn more about infosec
Company Security and customers first

What is PCI-DSS Requirement 10?

PCI-DSS Requirement 10 asks businesses to track and monitor all access to relevant networks and ultimately, cardholder data. This is through the implementation of logging mechanisms that track user activity.

Keeping these logs in all environments will allow extensive monitoring, warning and analysis if something were to go wrong. Without these, it would be extremely difficult to determine the cause of a breach.

PCI-DSS Requirement 10.1: Apply audit trails to associate access to systems with individual users.

Your business must have a process or system in place that connects and identifies user access with the system that has been entered. This system should create audit logs that provide the ability to track any suspicious activity back to a specific user.

These audit trails must be effective and regularly maintained for each system component, and the access to these will be based on the information a user needs to fulfil their job requirements.

PCI DSS Requirement 10.2: Use automatic audit trails for all systems to reproduce events.

By creating audit trails for suspicious activities, your business can alert the system administrator and send data to other monitoring procedures – providing a thorough trail for tracking after an incident.

An automatic audit trail is required for all system components to reconfigure the following information:

  • All individual access to systems containing cardholder data.
  • All transactions performed by a user with root or administrative privileges.
  • Access to all existing audit trails.
  • Any invalid login attempts during access.
  • Use of identification and authentication procedures.
  • Creating audit logs.
  • Creating, amending, and deleting objects at the system level.

PCI DSS Requirement 10.3: Audit logs must be protected from changes or destruction by unauthorised parties.

Users who have entered networks may edit audit logs to hide any activity. It’s important to protect audit logs to ensure they are complete and accurate, so the following information should always be captured on entry:

  • The user ID
  • Date and time of access
  • Whether the user succeeded or failed at access
  • Event type
  • The source of the event
  • The identity of the affected component

By capturing this information, it is possible to quickly identify a potential solution as well as the person responsible, and when and how the attempt took place.

PCI-DSS Requirement 10.4: Audit logs are reviewed regularly to detect anomalies or suspicious behaviour.

Regular reviews must take place using log harvesting, parsing, and alerting tools, as well as event log analysers and security information and event management (SIEM) solutions. Any anomalies found during these audits should always be investigated quickly to detect suspicious activity and address any vulnerabilities.

The sub-sub-sections of this requirement include:

  • PCI-DSS Requirement 10.4.1: All audit logs should be reviewed at least once a day.
  • PCI-DSS Requirement Automated tools should perform these audit log reviews.
  • PCI-DSS Requirement 10.4.2: Any other system component logs are reviewed regularly.
  • PCI-DSS Requirement The regularity of log reviews should be clearly outlined in the company’s risk analysis.
  • PCI-DSS Requirement 10.4.3: All anomalies identified during reviews must be immediately addressed.

PCI-DSS Requirement 10.5: Audit log history must be retained and readily available for analysis.

All audit log history should be retained for at least a year, with a minimum of the most recent three months readily available for analysis if an error should occur.

PCI-DSS Requirement 10.6: Time-synchronisation mechanisms must support consistent time settings across all systems components.

All businesses must use time synchronisation technology to keep all system clocks in sync, allowing you to determine the correct sequence of events at the correct time if you have detected any issues.

The sub-sub-requirements include:

  • PCI-DSS Requirement 10.6.1: System clocks and time must be correctly synchronised using time-synchronisation technology.
  • PCI-DSS Requirement 10.6.2: Systems must be configured to the correct and consistent time.
  • PCI-DSS Requirement 10.6.3: The time synchronisation settings and data must be protected.

PCI-DSS Requirement 10.7: Any critical security control system failures must be quickly detected, reported, and responded to.

It's a requirement for businesses to have formal process in place that detects system failures and alerts the appropriate personnel. Admins will need to act quickly to reduce the amount of time malicious software and individuals can access a system to maintain PCI-DSS compliance.

Gain PCI-DSS compliance with Hicomply

PCI-DSS compliance is a mandatory yet beneficial certification for your business. However, we understand that it can be quite a long-winded one, especially if your business is constantly busy!

Our aim is to simplify the process as much as possible with our fully-fledged ISMS solution that keeps all your documentation organised and in one place, so you can focus on the more important things for your organisation. Get in touch today to receive a demo.