PCI DSS Compliance Demystified blog presents a sensible piece on Req 10 ("Track and monitor all access to network resources and cardholder data") here.
A few useful quotes from it: "This requirement is mean to show: Who did What and When, in order to (1) alert on suspicious activity and (2) facilitate a forensic investigation."
Indeed, log enough to know when things go bad and to investigate after you learned that they went bad.
They also highlight the need for database logging in PCI.
In any case, go read it.
1 comment:
Anton, thank you for your kind word. Maybe we should change the tag line of the blog to "Sensible PCI"
Post a Comment