[PCI DSS 1.x] 10.2.6 Initialization of the audit logs

10.2.6 Initialization of audit logs



A PCI question regarding logs!

A managed services IT company is controlling access to a 3rd party client network. They must be PCI compliant.

The logs that record the access to the network are not held on the 3rd party site but can be copied across or accessed from the 3rd party site. This is because access to the 3rd party network is not granted through a single server.

So what I am asking is this:Do logs of who does what (or accesses what) need to be created on the 3rd party network and stored there permanently or could these logs be created on the managed services company network and then copied/duplicated across?

hope this makes sense!

That’s an excellent question because it brings up several topics in trying to answer it. Both the 3rd party (the underlying merchant I am assuming) and the managed services IT company are involved with compliance. If the managed services provider also processes, stores, or transmits any CHD (encrypted or not), they must also comply. For simplicity here I’m going to assume only the merchant has sensitive Card Holder Data (CHD) and that the managed services provider is simply providing a network authentication to the merchant. Other scenarios might have a different answer. 10.2.6 refers to logging the log initialization - i.e., a log entry for the date and time that the log started recording. To be compliant this log entry must be there and show that the log was working concurrent with granting access to the CHD environment. There must not be any gaps where there was no logging and CHD was being accessed. Your question however seemed to be more aimed at the requirement to log and store the logs, which are covered by 10.2.1 and 10.2.2 as well as 10.3. 10.5 covers what security must be applied to access logs and 10.7 discusses how long to keep the logs. 10.7.b requires the auditor for a Level 1 merchant to “Verify that audit logs are available online [for the previous 3 months and] on tape for at least one year.” As long as all these requirements are met, then your scenario of creation and copying should be acceptable. If I was the merchant I would have a very strong contract clause on this with my service provider.