Main menu
You are here
PCI Audit Logs
 |
PCI DSS compliance sections 10.2 and 10.3 require that Theatre Manager maintain audit logs for certain system events. These primarily deal with who has seen or could have seen credit card information.
The transaction logs in Theatre Manager deal with all these requirements because Theatre Manager has always maintained and 'audit log' of certain system events that tracks the events required in PCI section 10.2 and the a minimum of the data elements in PCI section 10.3. |
The following screen shot is a sample of an audit log that is contained within the transaction records in Theatre Manager.
All financial and access audit log transactions are kept forever. Specifically transactions like Login, Logout, Invalid Access, and Viewing Complete Card Data are kept in perpetuity. Transaction types are 'coded' and 'dated' for easy finding and sorting.
|
there are some non-fiancial transactions like 'ticket unprint' which are kept a minimum of 1 year or longer depending on settings. These do not affect finance or PCI compliance so retention is optional. |
| PCI Std. | Requirement | Theatre Manager Implementation | ||
| 10.2 | Implement automated audit trails for all system components to reconstruct the following events: | |||
| 10.2.1 | All individual accesses to cardholder data | Theatre Manager creates an 'AC' transaction to track whenever a user sees the entire credit card number. By default, Theatre Manager displays masked card numbers in all windows and reports. Only in specific places will Theatre Manager display card information to those who have specific authorization to see cards. Therefore, you should expect to see very little information in the audit log if you minimize who has access to see full card data.
None of these transactions can be purged. |
||
| 10.2.2 | All actions taken by any individual with root or administrative privileges | An administrative user is subject to the same rigorous requirements as all other users. | ||
| 10.2.3 | Access to all audit trails | Theatre Manager does not track who views audit trails because they cannot be changed, manipulated or altered by the user in any way. We believe that when users know this information is tracked for PCI compliance, it acts as an additional deterrent. None of the logs ever display sensitive data. | ||
| 10.2.4 | Invalid logical access attempts | Theatre Manager tracks who access's Theatre Manager and logs in or out via the 'ALI' and 'ALO' transactions.
'ALX' transactions track invalid login attempts (after 3 mistyped passwords), or when the user account is locked out. These transactions cannot be purged. |
||
| 10.2.5 | Use of identification and authentication mechanisms | Theatre Manager uses login and authentication mechanisms. All users of the application must log in. | ||
| 10.2.6 | Initialization of the audit logs | The audit logs can never be 'initialized' by the user, nor can be they be cleared except under programatic control. The minimum retention time is 365 days for audit transactions with the default being forever. Payment logs indicating who took the actual payment are retained forever and cannot be deleted. | ||
| 10.2.7 | Creation and deletion of system-level objects | |||
| 10.3 | Record at least the following audit trail entries for all system components for each event: | |||
| 10.3.1 | User identification | yes - see log example | td>||
| 10.3.2 | Type of event | yes - see log example | ||
| 10.3.3 | Date and time | yes - see log example | ||
| 10.3.4 | Success or failure indication | yes - see log example | ||
| 10.3.5 | Origination of event | yes - see log example | ||
| 10.3.6 | Identity or name of affected data, system component, or resource | yes - see log example | ||