Thursday, August 23, 2007

PCI and Database Logging

I saw this pathetic excuse of a vendor :-) the other day: they were trying to convince a prospect that their "kinda log management" tool is suitable for PCI DSS compliance (i.e. for Requirement 10 and as well as across others - see more here in my PCI book chapter on logging [PDF]) without having any way to collect and analyze database logs, such as Oracle audit logs/tables or MS SQL trace files. Yuck!

One would think that this post belong in the "Nobody is That Dumb ... Oh, Wait" category, but no, folks, this is for real. Do you think these PCI DSS people put logging requirements in PCI just for fun? I wish :-) No, they put them there so that access to credit card information (PAN as well as other credit card and customer data) is recorded and can be monitored and reported on. And where most of the card numbers and customer info are stored? Yes, in databases!

So, please tell me, how can someone who cannot collect logs from databases have any semblance of credibility in PCI-driven log management? Exactly! :-)

Dr Anton Chuvakin