10: Log and Monitor All Access to System Components and Cardholder Data

Requirement 10.1

Processes and mechanisms for logging and monitoring all access to system components and cardholder data are defined and documented.

The default IBM® Safer Payments configuration logs all user access, and links all activities to individual users.

You can use the PCI DSS compliance report to verify the correct configuration of your IBM Safer Payments logging function. For more information, see Running the PCI DSS compliance report.

Note: All PCI DSS relevant log messages are classified accordingly in the IBM Safer Payments software. Disabling them results in non-compliance with PCI DSS. For more information, see Changing log message settings.

You must also configure your system log according to PCI standards. You can find links to the security guides of all supported operating systems in Changing operating system settings.

Requirement 10.2.1.5

Audit logs capture all changes to identification and authentication credentials including, but not limited to:
  • Creation of new accounts.
  • Elevation of privileges.
  • All changes, additions, or deletions to accounts with administrative access.

You can use the PCI DSS compliance report to verify the correct configuration of your IBM Safer Payments logging function. For more information, see Running the PCI DSS compliance report.

For more information about adapting log message settings, see Changing log message settings.

After adaptation, the report can be rerun and immediately reflects any changes made.

Note: All PCI DSS relevant log messages are classified accordingly in the IBM Safer Payments software. Disabling them results in non-compliance with PCI DSS.
Note: IBM Safer Payments itself cannot prevent log files to be deleted from outside the application on file level. Organizational procedures must be implemented to prevent such deletions and modifications. Therefore, centralized logging is recommended.

Requirement 10.2.1.6

Audit logs capture the following:
  • All initialization of new audit logs, and
  • All starting, stopping, or pausing of the existing audit logs.

You can use the PCI DSS compliance report to verify the correct configuration of your IBM Safer Payments logging function. For more information, see Running the PCI DSS compliance report.

For more information about adapting log message settings, see Changing log message settings.

After adaptation, the report can be rerun and immediately reflects any changes made.

Note: All PCI DSS relevant log messages are classified accordingly in the IBM Safer Payments software. Disabling them results in non-compliance with PCI DSS.
Note: IBM Safer Payments itself cannot prevent log files to be deleted from outside the application on file level. Organizational procedures must be implemented to prevent such deletions and modifications. Therefore, centralized logging is recommended.

Requirement 10.2.2

Audit logs record the following details for each auditable event:
  • User identification.
  • Type of event.
  • Date and time.
  • Success and failure indication.
  • Origination of event.
  • Identity or name of affected data, system component, resource, or service (for example, name and protocol).

You can use the PCI DSS compliance report to verify the correct configuration of your IBM Safer Payments logging function. For more information, see Running the PCI DSS compliance report.

Note: All PCI DSS relevant log messages are classified accordingly in the IBM Safer Payments software. Disabling them results in non-compliance with PCI DSS.

Requirement 10.3.3

Audit log files, including those for external-facing technologies, are promptly backed up to a secure, central, internal log server(s) or other media that is difficult to modify.

IBM Safer Payments provides centralized logging and fully meets this requirement.

All IBM Safer Payments system and audit logs can be accessed from the GUI, and third-party monitoring tools can import IBM Safer Payments log files. Third party monitoring tools can retrieve the log files that are written by IBM Safer Payments from the log directory as specified in IBM Safer Payments base configuration.

To facilitate centralized logging, IBM Safer Payments supports the syslog protocol in Unix/Linux®.

For more information about how to activate centralized logging, see Changing log message settings.

Note: Your central log server must collect all relevant log messages from the system log. You must implement an operational process within your organization to collect the relevant logs from the operating systems logs.