Requirement 10: Track and monitor all access to network resources and cardholder data
Logging and log monitoring are critical tools in maintaining the security of sensitive systems. Audit trails must be maintained for all critical system components of the CDE, including workstations, servers, firewalls, routers, switches, wireless access points, etc. All access to cardholder data, access to audit logs, administrative actions, successful login attempts, and failed login attempts must be logged. Each log must include the user name, type of event, date and time, success or failure indication, IP address of the user, and the impacted system(s).
Logs should be centrally backed up and protected against unauthorized access and tampering. File-integrity monitoring should be configured on log records to detect and alert administrators of any unauthorized changes (new additions should not trigger an alert).
Review logs of all CDE systems daily. In most environments an automated log aggregation and analysis system similar to Splunk or LogRhythm is necessary to make this task manageable. Audit logs must be maintained for at least one year (with three months immediately available for analysis.)
Time synchronization (Windows Time and/or NTP) is a critical part of maintaining accurate logs. All systems should synchronize time with select internal timeserver(s). Only the designated internal timeserver(s) should synchronize with reputable external time source(s).
Sub requirement 10.8 applies only to service providers. It requires that a process is implemented for the timely failure detection and resolution of critical security control systems including firewalls, IDS/IPS, file-integrity monitoring, anti-virus, physical and logical access controls, and logging mechanisms.
Go back to Requirement 9 - Physical Access Restrictions.