Friday, September 14, 2007

A Sensible Piece on Logging in PCI DSS

PCI DSS Compliance Demystified blog presents a sensible piece on Req 10 ("Track and monitor all access to network resources and cardholder data") here.

A few useful quotes from it: "This requirement is mean to show: Who did What and When, in order to (1) alert on suspicious activity and (2) facilitate a forensic investigation."

Indeed, log enough to know when things go bad and to investigate after you learned that they went bad.

They also highlight the need for database logging in PCI.

In any case, go read it.

Dr Anton Chuvakin