Audit trails and centralized logging (PA-DSS 4.1 and PA-DSS 4.4)

PA-DSS 4.1 states that Payment Applications must set PCI DSS-compliant log settings, per PCI DSS Requirement 10. In addition, logs must be enabled, and disabling the logs will result in noncompliance with PCI DSS.

The Sterling™ Sensitive Data Capture Server has PA-DSS-compliant logging enabled by default. This logging is not configurable and cannot be disabled.

Sterling Sensitive Data Capture Server logging is configured per PCI DSS 10.2 and 10.3 as follows:

• Implement automated assessment trails for all system components to reconstruct the following events:
  • 10.2.1 All individual user access to cardholder data
  • 10.2.2 All actions taken by any individual with root or administrative privileges
  • 10.2.3 Access to all assessment trails
  • 10.2.4 Invalid logical access attempts
  • 10.2 5 Use of identification and authentication mechanisms
  • 10.2.6 Initialization of assessment logs
  • 10.2.7 Creation and deletion of system-level objects
• Record at least the following assessment trail entries for all system components for each event from 10.2.x:
  • 10.3.1 User identification
  • 10.3.2 Type of event
  • 10.3.3 Date and time
  • 10.3.4 Success or failure indication
  • 10.3.5 Origination of event
  • 10.3.6 Identity or name of affected data, system component, or resource.

Out of the box, the Sterling Sensitive Data Capture Server writes logs to a directory that is dictated by the log4j properties. Customers must develop the capability to automatically copy these logs to their centralized log server.