White Paper
ArcSight Logger and PCI DSS 1.2
Table of Contents
Background 3ArcSight Logger and PCI DSS 1.2 3 Four Categories of Logs 4 PCI Requirements and ArcSight Logger 5 Conclusion 9
ArcSight Logger and PCI DSS 1.2 2BackgroundDigital fraud and identity theft incidents have made the protection of payment card information more critical than ever. Cardholder security programs started as early as 2001, and credit card issuers joined together in 2004 to publish the first Payment Card Industry (PCI) Data Security Standard (DSS). Visa, MasterCard, American Express, Discover Bank and JCB all now endorse the standard. The PCI DSS is unique from other information security regulations as it receives governance from private industry rather than elected officials, which means the PCI Security Standards Council (SSC) retains the authority of managing the DSS.The DSS is comprised of a list of twelve requirements to which members, merchants and service providers must adhere. It applies to any organization that stores, processes or transmits cardholder data. The requirements include the use of data encryption, end-user access controls and activity monitoring and logging, as well as the need to regularly test security systems and processes. Companies face stiff fines or even may be barred from the card acceptance program if they do not comply. The PCI DSS extends to all "system components" of these organizations, which means all technology involved with or connected to cardholder data is considered applicable to the standard.
ArcSight Logger and PCI DSS 1.2ArcSight Logger is delivered in a slim appliance form-factor that supports ease of configuration and deployment. It provides high-performance log collection from any source into highly-compressed yet easily-searchable and self-managing log data repository. ArcSight Logger addresses the growing need for collection, storage and analysis of data for all sizes and types of organizations. It can function both as a standalone appliance to achieve log management as well as a complement to the ArcSight ESM platform, which provides a foundation for IT Risk and compliance management.The DSS requires implementation of a robust information security management system including monitoring and maintaining audit trails. Version 1.1 of the DSS was published in September 2006 with an 'Appendix B: compensating controls.' This appendix addresses the complexity of encryption and that controls often cannot be immediately absorbed by entities facing compliance. Compensating controls, such as advanced logging capabilities to protect keys and enhance identity management, increase the relevance of logs. Version 1.2 was released on Oct 1, 2008, as the Security Standards Council uses a two year lifecycle, and provides clarifications to make it easier for organizations to interpret and implement the DSS without losing the intent.Combined together, Appendix B and the changes in version 1.2 make it clear that log management serves as a foundation for PCI compliance. The importance of maintaining a trail of who, what, where, and when of cardholder data should not be underestimated. Even policy and risk assessment depend to a degree on data that is collected in logs and analyzed in a timely fashion. Requirement 10 is perhaps the most obvious as it calls on organizations to "track and monitor all access to network resources and cardholder data."
ArcSight Logger and PCI DSS 1.2 3ArcSight Logger is the industry leading solution for this Requirement. It establishes a process to link user access to systems, especially for privileged accounts such as root and administrator. Additionally, it implements automated assessment trails for all system components to reconstruct specified events, records specified assessment trail entries for all system components for each event, secures the assessment trails so they cannot be altered, provides numerous storage options to retain history for more than one year, and provides a user-friendly interface and powerful reporting engine for daily review of all system component logs. ArcSight Logger also goes beyond Requirement 10 and assists members, merchants and service providers that store, process or transmit cardholder data by making the rest of their PCI compliance program more efficient, effective and auditable. It automatically collects information from system components covered under PCI and provides an intelligent logging sol... [download for more]
