Requirement 4: Log payment application activity

Details about how requirement 4 and subrequirements 4.1, 4.2, 4.3, and 4.4 are fulfilled.

Requirement 4.1

At the completion of the installation process, the “out of the box” default installation of the payment application must log all user access and be able to link all activities to individual users.

The default IBM® Safer Payments configuration logs all user access, and links all activities to individual users.

You can use the PCI DSS compliance report to verify the correct configuration of your IBM Safer Payments logging function. For more information, see Running the PCI DSS compliance report.

Note: All PCI DSS relevant log messages are classified accordingly in the IBM Safer Payments software. Disabling them results in non-compliance with PCI DSS. For more information, see Changing log message settings.

You must also configure your system log according to PCI standards. You can find links to the security guides of all supported operating systems in Changing operating system settings.

Requirement 4.2

Payment application must provide an audit trail to reconstruct the following events:

All individual user accesses to cardholder data from the application
All actions taken by any individual with administrative privileges as assigned in the application
Access to application audit
Invalid logical access attempts
Use of, and changes to the application’s identification and authentication mechanisms (including but not limited to creation of new accounts, elevation of privileges, etc.), and all changes, additions, deletions to application accounts with root or administrative privileges
Initialization, stopping, or pausing of the application audit logs
Creation and deletion of system-level objects within or by the application

IBM Safer Payments can be configured accordingly to meet all subrequirements of requirement 4.2.

You can use the PCI DSS compliance report to verify the correct configuration of your IBM Safer Payments logging function. For more information, see Running the PCI DSS compliance report.

For more information about adapting log message settings, see Changing log message settings.

After adaptation, the report can be rerun and immediately reflects any changes made.

Note: All PCI DSS relevant log messages are classified accordingly in the IBM Safer Payments software. Disabling them results in non-compliance with PCI DSS.

Note: IBM Safer Payments itself cannot prevent log files to be deleted from outside the application on file level. Organizational procedures must be implemented to prevent such deletions and modifications. Therefore, centralized logging is recommended.

Requirement 4.3

Payment application must record at least the following audit trail entries for each event: […]

IBM Safer Payments can be configured accordingly to meet all subrequirements of requirement 4.3.

You can use the PCI DSS compliance report to verify the correct configuration of your IBM Safer Payments logging function. For more information, see Running the PCI DSS compliance report.

Note: All PCI DSS relevant log messages are classified accordingly in the IBM Safer Payments software. Disabling them results in non-compliance with PCI DSS.

Requirement 4.4

Payment application must provide centralized logging.

IBM Safer Payments provides centralized logging and fully meets this requirement.

All IBM Safer Payments system and audit logs can be accessed from the GUI, and third-party monitoring tools can import IBM Safer Payments log files. Third party monitoring tools can retrieve the log files that are written by IBM Safer Payments from the log directory as specified in IBM Safer Payments base configuration.

To facilitate centralized logging, IBM Safer Payments supports the syslog protocol in Unix/Linux®.

For more information about how to activate centralized logging, see Changing log message settings.

Note: Your central log server must collect all relevant log messages from the system log. You must implement an operational process within your organization to collect the relevant logs from the operating systems logs.