Full Text

Anton Chuvakin, PhD, GCIA, GCIH, GCFA continues his two-part review of logging requirements imposed by the Payment Card Industry Data Security Standard (PCI DSS). Everything that follows is Dr Chuvakin's work with minor edits. (Part 1)

In today's column, he presents some practical guidance for readers.

* * *

A PCI-consistent logging policy must include at least the following elements:

* Adequate logging: covers both logged event types and details for all systems in scope for PCI DSS. As a reminder, this includes not only systems that store or process card data, but also those that are directly connected to them (no firewall in between).

* Central log aggregation: making sure that logs are retained in a controlled environment and not left to rot wherever they are produced is a PCI compliance requirement.

* Log retention: PCI DSS has an easy answer for your log retention policy: logs must be stored for one year with the last three months available in an easily accessible storage (not tape).

* Log protection and...