Auditing and the Payment Card Industry (PCI) Data Security Standard

Here is a link to an interesting blog article interpreting the audit requirement of the PCI standard.


For reference, here is a link (pdf) to the PCI 1.1 Data Security Standard itself.


The high-level PCI requirements are listed below.  Requirement 10 is the requirement pertaining to audit.


Build and Maintain a Secure Network

·         Requirement 1: Install and maintain a firewall configuration to protect data

·         Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

·         Requirement 3: Protect stored data

·         Requirement 4: Encrypt transmission of cardholder data and sensitive information across public networks

Maintain a Vulnerability Management Program

·         Requirement 5: Use and regularly update anti-virus software

·         Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

·         Requirement 7: Restrict access to data by business need-to-know

·         Requirement 8: Assign a unique ID to each person with computer access

·         Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

·         Requirement 10: Track and monitor all access to network resources and cardholder data

·         Requirement 11: Regularly test security systems and processes.

Maintain an Information Security Policy

·         Requirement 12: Maintain a policy that addresses information security

UPDATE 2006/09/13: Linked to PCI standard v1.1.  Thanks Mike for the heads up!

Comments (1)

  1. Anton_Chuvakin says:

    The important and often missed thing  about PCI is that logs are useful in many more areas than just a Req #10. If you read the PCI standard doc carefully, you’d discover a lot more places where logs have to be used, such as change audit, etc