PCI DSS Logging as a service

Publish date:

As you may be aware of there is a security standard named PCI DSS that aims to protect credit cards from being subject to fraud. It is a mandatory standard for every company that accepts credit card payments, issues credit cards or handle credit card transaction. The standard consists of 12 high level rules divided […]

As you may be aware of there is a security standard named PCI DSS that aims to protect credit cards from being subject to fraud. It is a mandatory standard for every company that accepts credit card payments, issues credit cards or handle credit card transaction. The standard consists of 12 high level rules divided in 240+ detailed requirements that need to be fulfilled to be able to get the certification.

One of the harder to achieve but from an infrastructure perspective interesting requirement is the one mandating that everything happening in the CDE (http://crowmoor.se/blog/?p=363) has to be logged and acted on if needed. Not many companies today have logging activated and even less is actually utilizing it for security. This means that quite often they look externally to provide this kind of service.

Following two engagements in UK and Nordic I am currently involved in I have had the possibility to create a setup that showed it possible to deliver this as a service to reach PCI DSS compliance. From a security point of view this kind of service will help a company to understand what kind of threats that currently exists. Lack of monitoring has always been a problem and gives rise to bad risk analysis. Following You3 (http://www.capgemini.com/technology-blog/2011/04/working-security-mechanisms-fail/) lack of monitoring most of the time puts you in You Have instead of You belong or You Are but with good security logging and incident response resolutions you get a better view of what kind of incidents that you need to protect the client against and you could provide a better risk analysis as well giving security better visibility for management and most likely more budget. Becoming the next Sony ($165M) or RSA ($56M) is not something that any company would like but without knowledge there is a risk they invest too much and get too little.

With logging as a service I expect that a new area in compliance to emerge. CAAS, Compliance as a Service.

Related Posts

Cybersecurity

Cybersecurity: the linchpin of sustainable infrastructure

Geert van der Linden
Date icon July 7, 2021

It’s critical that infrastructure organizations mitigate these risks by placing cybersecurity...

Cybersecurity

Malware: Bad for business and the environment

Geert van der Linden
Date icon June 28, 2021

Ensure your business is secure and quick to respond in the event of a breach.

Cybersecurity

Is your cybersecurity insurance dynamic enough for today’s threat landscape?

Geert van der Linden
Date icon May 3, 2021

To provide effective insurance, and claim their stake within this growing market, insurance...