You are here

Requirement 10: Track and monitor all access to network

Subscribe to Syndicate
Track and monitor all access to network resources and cardholder data

Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. The presence of logs in all environments allows thorough tracking, alerting, and analysis when something does go wrong. Determining the cause of a compromise is very difficult, if not impossible, without system activity logs.

Section PCI Requirement Comments Responsibilities on Artsman Cloud
10.1 Implement audit trails to link all access to system components to each individual user.   Artsman: via Theatre Manager
Customer: workstation
10.2 Implement automated audit trails for all system components to reconstruct the following events:    
10.2.1 All individual accesses to cardholder data Refer to PCI Audit Logs. Theatre Manager tracks every time a user views the entire credit card data for any patron.

The Theatre Manager logs can be exported to your common logging tools. Refer to exporting logs to see how to accomplish this.

Theatre Manager tracks access to card data for Customers
10.2.2 All actions taken by any individual with root or administrative privileges Not applicable to Theatre Manager - it is applicable to your operating system. Only access to CC data is via Theatre Manager
10.2.3 Access to all audit trails   via Theatre Manager
10.2.4 Invalid logical access attempts Incorrect login attempts to Theatre Manager are tracked in the audit logs. via Theatre Manager
10.2.5 Use of and changes to identification and authentication mechanisms—including but not limited to creation of new accounts and elevation of privileges—and all changes, additions, or deletions to accounts with root or administrative privileges Theatre Manager tracks each log in and log out, user creations and when people are given a temporary priviledge. These transaction are of type 'A' in the database (for Audit) via Theatre Manager
10.2.6 Initialization, stopping, or pausing of the audit logs Theatre Manager access audit logs cannot be stopped or deleted via Theatre Manager
10.2.7 Creation and deletion of system-level objects This is not possible in Theatre Manager Theatre Manager does not allow entity deletion
10.3 Record at least the following audit trail entries for all system components for each event: refer to PCI audit Log description via Theatre Manager
10.3.1 User identification
10.3.2 Type of event
10.3.3 Date and time
10.3.4 Success or failure indication
10.3.5 Origination of event
10.3.6 Identity or name of affected data, system component, or resource
10.4 Using time-synchronization technology, synchronize all critical system clocks and times and ensure that the following is implemented for acquiring, distributing, and storing time.

Note: One example of time synchronization technology is Network Time Protocol (NTP).

You must allow each computer to access a respected NTP Server (network time protocol). This is typically built into the operating system and firewall rules should automatically enable this feature.

Theatre Manager uses the time at the postgres server as the single time source for transactions across all workstations. All data istimestamped with now(), making time diferences on workstations irrelevant.

Regardless, an alert is given to a user if their workstation does not match the server to within 30 seconds.

Effectively, if the postgres server is set according to an NTP server; all workstations transactions are synced with the postgres server to create a unified approach to time.

via Theatre Manager
10.4.1 Critical systems have the correct and consistent time
10.4.2 Time data is protected
10.4.3 Time settings are received from industry-accepted time sources
10.5 Secure audit trails so they cannot be altered   Artsman: SOC 2 compliant data centres with real time monitoring and logging
Customer: Workstation controls
10.5.1 Limit viewing of audit trails to those with a job-related need Theatre Manager logs are not sensitive in themselves due to what they track. However, after exporting them and storing them in your centralized logging facility, you will need to limit access because of the other systems you may be logging.
10.5.2 Protect audit trail files from unauthorized modifications. You cannot modify or delete Theatre Manager logs
10.5.3 Promptly back up audit trail files to a centralized log server or media that is difficult to alter. In addition to exporting logs, the multiple daily database backups create redundancy in the storage of the TM audit logs.
10.5.4 Write logs for external-facing technologies onto a log server on the internal LAN. This means things like router logs need to be stored internally.
10.5.5 Use file integrity monitoring or change detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert).  
10.6 Review logs and security events for all system components to identify anomalies or suspicious activity Refer to exporting logs to see how to export TM access logs in excel format so that you can import to your common log server. Artsman: SOC 2 compliant data centres with real time monitoring and logging
Customer: Workstation controls
10.6.1 Review the following at least daily:
  • All security events
  • Logs of all system components that store, process, or transmit CHD and/or SAD
  • Logs of all critical system components
  • Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.)
PCI Audit Logs
10.6.2 Review logs of all other system components periodically based on the organization's policies and risk management strategy, as determined by the organization's annual risk assessment.  
10.6.3 Follow up exceptions and anomalies identified during the review process.  
10.7 Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup). PCI logs are permanent in the database via Theatre Manager
10.8 Ensure that security policies and operational procedures for monitoring all access to network resources and cardholder data are documented, in use, and known to all affected parties.   Artsman: web sales and database
Customer: workstation