Re: [Full-disclosure] PCI Audit Logging

[coderman <coderman@xxxxxxxxx>]

On 12/20/05, phenfen <phenfen@xxxxxxxxxxx> wrote:
> ...
> "Corporate policy and audit logging will be changed to include
> successful and unsuccessful login attempts when attempting to access
> audit logs on devices passing or storing card holder data."
>
> My read on this is that I just need to audit login attempts to the
> server where the card holder data is stored. Is that correct?

we audit database and unix logins on the server where this database is
hosted.  in most cases only the administrators have unix account
access while other individuals have specific database/view account
access.

note that you also need to have distinct accounts for every user as
well along with password expiration and history.  (you've probably
read these parts already)



> According to the Visa PCI requirements, "All key management activities
> should be logged..." (from the Visa Cardholder Information Security
> Program v5.5):

key management related to the encrypted database fields is a different issue...


> I understand that my goal is to appease the auditor, but I was looking
> for additional clarification or if anyone would like to share their
> experience with fulfilling this requirement.

hope that helps.  i'd strongly suggest having a 'trial' PCI audit
performed before the real thing, assuming you have the budget for such
a thing.  a lot of consulting co's are glad to do it (buyer beware).
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/