As you may be aware of there is a security standard named PCI DSS that aims to protect credit cards from being subject to fraud. It is a mandatory standard for every company that accepts credit card payments, issues credit cards or handle credit card transaction. The standard consists of 12 high level rules divided in 240+ detailed requirements that need to be fulfilled to be able to get the certification.

One of the harder to achieve but from an infrastructure perspective interesting requirement is the one mandating that everything happening in the CDE ( has to be logged and acted on if needed. Not many companies today have logging activated and even less is actually utilizing it for security. This means that quite often they look externally to provide this kind of service.

Following two engagements in UK and Nordic I am currently involved in I have had the possibility to create a setup that showed it possible to deliver this as a service to reach PCI DSS compliance. From a security point of view this kind of service will help a company to understand what kind of threats that currently exists. Lack of monitoring has always been a problem and gives rise to bad risk analysis. Following You3 ( lack of monitoring most of the time puts you in You Have instead of You belong or You Are but with good security logging and incident response resolutions you get a better view of what kind of incidents that you need to protect the client against and you could provide a better risk analysis as well giving security better visibility for management and most likely more budget. Becoming the next Sony ($165M) or RSA ($56M) is not something that any company would like but without knowledge there is a risk they invest too much and get too little.

With logging as a service I expect that a new area in compliance to emerge. CAAS, Compliance as a Service.