Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. The presence of logs in all environments allows thorough tracking, alerting, and analysis when something does go wrong. Determining the cause of a compromise is very difficult, if not impossible, without system activity logs.
| Section | PCI Requirement | Comments | Responsibilities on Artsman Cloud |
| 10.1 | Implement audit trails to link all access to system components to each individual user. |
Artsman: via Theatre Manager
Customer: workstation |
|
| 10.2 | Implement automated audit trails for all system components to reconstruct the following events: | ||
| 10.2.1 | All individual accesses to cardholder data | Refer to PCI Audit Logs. Theatre Manager tracks every time a user views the entire credit card data for any patron.
The Theatre Manager logs can be exported to your common logging tools. Refer to exporting logs to see how to accomplish this. |
Theatre Manager tracks access to card data for Customers |
| 10.2.2 | All actions taken by any individual with root or administrative privileges | Not applicable to Theatre Manager - it is applicable to your operating system. | Only access to CC data is via Theatre Manager |
| 10.2.3 | Access to all audit trails | via Theatre Manager | |
| 10.2.4 | Invalid logical access attempts | Incorrect login attempts to Theatre Manager are tracked in the audit logs. | via Theatre Manager |
| 10.2.5 | Use of and changes to identification and authentication mechanisms—including but not limited to creation of new accounts and elevation of privileges—and all changes, additions, or deletions to accounts with root or administrative privileges | Theatre Manager tracks each log in and log out, user creations and when people are given a temporary priviledge. These transaction are of type 'A' in the database (for Audit) | via Theatre Manager |
| 10.2.6 | Initialization, stopping, or pausing of the audit logs | Theatre Manager access audit logs cannot be stopped or deleted | via Theatre Manager |
| 10.2.7 | Creation and deletion of system-level objects | This is not possible in Theatre Manager | Theatre Manager does not allow entity deletion |
| 10.3 | Record at least the following audit trail entries for all system components for each event: | refer to PCI audit Log description | via Theatre Manager |
| 10.3.1 | User identification | ||
| 10.3.2 | Type of event | ||
| 10.3.3 | Date and time | ||
| 10.3.4 | Success or failure indication | ||
| 10.3.5 | Origination of event | ||
| 10.3.6 | Identity or name of affected data, system component, or resource | ||
| 10.4 | Using time-synchronization technology, synchronize all critical system clocks and times and ensure that the following is implemented for acquiring, distributing, and storing time.
Note: One example of time synchronization technology is Network Time Protocol (NTP). |
You must allow each computer to access a respected NTP Server (network time protocol). This is typically built into the operating system and firewall rules should automatically enable this feature.
Theatre Manager uses the time at the postgres server as the single time source for transactions across all workstations. All data istimestamped with now(), making time diferences on workstations irrelevant. Regardless, an alert is given to a user if their workstation does not match the server to within 30 seconds. Effectively, if the postgres server is set according to an NTP server; all workstations transactions are synced with the postgres server to create a unified approach to time. |
via Theatre Manager |
| 10.4.1 | Critical systems have the correct and consistent time | ||
| 10.4.2 | Time data is protected | ||
| 10.4.3 | Time settings are received from industry-accepted time sources | ||
| 10.5 | Secure audit trails so they cannot be altered |
Artsman: SOC 2 compliant data centres with real time monitoring and logging
Customer: Workstation controls |
|
| 10.5.1 | Limit viewing of audit trails to those with a job-related need | Theatre Manager logs are not sensitive in themselves due to what they track. However, after exporting them and storing them in your centralized logging facility, you will need to limit access because of the other systems you may be logging. | |
| 10.5.2 | Protect audit trail files from unauthorized modifications. | You cannot modify or delete Theatre Manager logs | |
| 10.5.3 | Promptly back up audit trail files to a centralized log server or media that is difficult to alter. | In addition to exporting logs, the multiple daily database backups create redundancy in the storage of the TM audit logs. | |
| 10.5.4 | Write logs for external-facing technologies onto a log server on the internal LAN. | This means things like router logs need to be stored internally. | |
| 10.5.5 | Use file integrity monitoring or change detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert). | ||
| 10.6 | Review logs and security events for all system components to identify anomalies or suspicious activity | Refer to exporting logs to see how to export TM access logs in excel format so that you can import to your common log server. |
Artsman: SOC 2 compliant data centres with real time monitoring and logging
Customer: Workstation controls |
| 10.6.1 | Review the following at least daily:
|
PCI Audit Logs | |
| 10.6.2 | Review logs of all other system components periodically based on the organization's policies and risk management strategy, as determined by the organization's annual risk assessment. | ||
| 10.6.3 | Follow up exceptions and anomalies identified during the review process. | ||
| 10.7 | Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup). | PCI logs are permanent in the database | via Theatre Manager |
| 10.8 | Ensure that security policies and operational procedures for monitoring all access to network resources and cardholder data are documented, in use, and known to all affected parties. |
Artsman: web sales and database
Customer: workstation |
Vulnerabilities are being discovered continually by malicious individuals and researchers, and being introduced by new software. System components, processes, and custom software should be tested frequently to ensure security controls continue to reflect a changing environment.
| Section | PCI Requirement | Comments | Responsibilities on Artsman Cloud |
| 11.1 | Implement processes to test for the presence of wireless access points (802.11), and detect and identify all authorized and unauthorized wireless access points on a quarterly basis.
Note: Methods that may be used in the process include but are not limited to wireless network scans, physical/logical inspections of system components and infrastructure, network access control (NAC), or wireless IDS/IPS. Whichever methods are used, they must be sufficient to detect and identify both authorized and unauthorized devices. |
iStumbler is a great little tool on the mac that is donation ware - it can find a lot of items that are broadcasting signals.
Alternately, inspect each device that is within the card portion of the network and make sure wireless is off. Note: on AMS cloud servers, all network connections are physical wiring - there are no possible WIFI access points. |
Artsman: N/A - no access points
Customer: workstations |
| 11.1.1 | Maintain an inventory of authorized wireless access points including a documented business justification. |
Artsman: N/A - no access points
Customer: workstations |
|
| 11.1.2 | Implement incident response procedures in the event unauthorized wireless access points are detected. |
Artsman: N/A - no access points
Customer: workstations |
|
| 11.2 | Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).
Note: Multiple scan reports can be combined for the quarterly scan process to show that all systems were scanned and all applicable vulnerabilities have been addressed. Additional documentation may be required to verify non-remediated vulnerabilities are in the process of being addressed. For initial PCI DSS compliance, it is not required that four quarters of passing scans be completed if the assessor verifies
|
Artsman: web sales and database scans
Customer: workstation scans |
|
| 11.2.1 | Perform quarterly internal vulnerability scans and rescans as needed, until all "high-risk" vulnerabilities (as identified in Requirement 6.1) are resolved. Scans must be performed by qualified personnel. |
Artsman: web sales and database
Customer: workstations |
|
| 11.2.2 | Perform quarterly external vulnerability scans, via an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC). Perform rescans as needed, until passing scans are achieved. Note: Quarterly external vulnerability scans must be performed by an Approved Scanning Vendor (ASV), approved by the Payment Card Industry Security Standards Council (PCI SSC). Refer to the ASV Program Guide published on the PCI SSC website for scan customer responsibilities, scan preparation, etc. |
Artsman: web sales and database
Customer: workstations |
|
| 11.2.3 | Perform internal and external scans, and rescans as needed, after any significant change.
Scans must be performed by qualified personnel. |
Artsman: web sales and database
Customer: workstations |
|
| 11.3 | Implement a methodology for penetration testing that includes the following:
|
Artsman: web sales and database tests
Customer: workstation tests |
|
| 11.3.1 | Perform external penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment). |
Artsman: web sales and database
Customer: workstations |
|
| 11.3.2 | Perform internal penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment). |
Artsman: web sales and database
Customer: workstations |
|
| 11.3.3 | Exploitable vulnerabilities found during penetration testing are corrected and testing is repeated to verify the corrections. |
Artsman: web sales and database
Customer: workstations |
|
| 11.3.4 | If segmentation is used to isolate the CDE from other networks, perform penetration tests at least annually and after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE. |
Artsman: web sales and database
Customer: workstations |
|
| 11.4 | Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network. Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alert personnel to suspected compromises.
Keep all intrusion-detection and prevention engines, baselines, and signatures up to date. |
Artsman: web sales and database
Customer: workstations |
|
| 11.5 | Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.
Note: For change-detection purposes, critical files are usually those that do not regularly change, but the modification of which could indicate a system compromise or risk of compromise. Change-detection mechanisms such as file-integrity monitoring products usually come pre-configured with critical files for the related operating system. Other critical files, such as those for custom applications, must be evaluated and defined by the entity (that is, the merchant or service provider). |
Artsman: web sales and database
Customer: workstations |
|
| 11.5.1 | Implement a process to respond to any alerts generated by the change- detection solution. |
Artsman: web sales and database
Customer: workstations |
|
| 11.6 | Ensure that security policies and operational procedures for security monitoring and testing are documented, in use, and known to all affected parties |
Artsman: web sales and database
Customer: workstations |