GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

Self-service channel emerging


Industry Update

Industry afloat amid economic plunge

MasterCard rings in new year with fee hike

FACTA flags identity fraud

Comerica tapped for prepaid benefits


SEPA: Will the promise be realized?

Tracy Kitten

Sizing up merchant cash advance

Marc Abbey, Yuriy Kostenko and Myron Schwarcz
First Annapolis Consulting

Industry Leader

Holli Targan –
Lady of the law


Interchange debate a wake-up call

Patti Murphy
The Takoma Group

Have passion, success will follow

Biff Matthews
CardWare International


Street SmartsSM:
It's 'bons temps' with SEAA in New Orleans

Dee Karawadra
Impact PaySystem

Requirement 10: PCI's Everest

Michael Petitti

Landing pages: Convert interest to action

Nancy Drexler
SignaPay Ltd.

Acquiring compliance

David Mertz
Compliance Security Partners LLC

Merchant services hierarchy

Adam Atlas
Attorney at Law

Company Profile

Sonoma Technical Support Services

New Products

POS terminal cool to the touch

ST-A10 TouchPOS
Toshiba TEC America

Ensure health care claims at the POS

Impact PaySystem

A quick-draw scanner at the POS

MS9590 VoyagerGS
Metrologic Instruments Inc.


Business travel made comfy

When the sandman is AWOL





Resource Guide


A Bigger Thing

The Green Sheet Online Edition

January 28, 2008  •  Issue 08:01:02

previous next

Requirement 10: PCI's Everest

By Michael Petitti

Complying with the Payment Card Industry (PCI) Data Security Standard (DSS) is a mandate for all merchants, regardless of acceptance channel and transaction volume. However, some requirements of the PCI DSS are more difficult to comply with than others.

In fact, my investigation of payment card compromises and PCI DSS audits of various merchants demonstrate that requirement 10 - track and monitor all access to network resources and cardholder data - proves especially difficult for merchants involved.

In my research of 350 card compromise cases, more than half of the merchants involved failed to comply with requirement 10. Also, during initial PCI DSS audits of Trustwave's customers, 70% of them needed to remediate deficiencies within their network environment to comply with the 10th rule.

Follow the basics

Tracking and monitoring all access to network components and cardholder data is no easy feat. For example, the PCI DSS requires that audit trails record the following network events:

The PCI DSS also requires that for each of these events, the following information, at the least, be recorded:

Any entity that processes, stores or transmits payment card information must comply with the PCI DSS. Thus the standard's requirements are at the front of many merchants' minds, but monitoring and logging are basic tenets of any data security plan.

Bulk up on security

Monitoring and logging network events can strain any organization's resources, but the difference between implementing and not implementing logging measures can determine the severity of a security breach.

Critical files, such as those containing cardholder data or other sensitive information, must be monitored for unauthorized changes. If attackers are able to penetrate a network, they may attempt to add additional user accounts with administrative privileges.

Once attackers have gained administrative privileges, many times they can then access any asset on a network and begin copying sensitive information and sending it off-site.

Regular review of audit logs would alert a merchant or network administrator to foul play. But hackers do not work from 9 a.m. to 5 p.m. It's more likely that an attack on cardholder data will take place at 3 a.m. - the perfect time to invade a smaller merchant who doesn't have the resources to maintain a 24/7 security staff. And without continual, real-time monitoring of the logs, an alert may come too late.

Many operating systems provide default software programs that can log this information. However, requirement 10 calls for more than just the recording of events. Merchants must also review firewall, router and wireless access points and authentication server logs at least daily for unauthorized traffic and access attempts.

To complicate matters, depending on the systems running on a merchant's network, each device may perform its own form of logging. Without information technology (IT) staff expertise, it's unlikely these logs would make sense to the average merchant.

Even with in-depth IT knowledge, consolidating logs from multiple devices deployed across an entire network and presenting them in a way conducive to analysis would require a full-time IT employee, if not an entire staff.

The complexity of a merchant's environment also affects the amount of logs that need monitoring.

Without a centralized process by which event logs can be correlated, it becomes increasingly difficult for merchants to gain insight into what's occurring on their networks. While they may have enabled logging on their network devices, they find themselves buried in log data rather than at a vantage point with actionable information.

Fortunately, a number of information security companies have developed automated solutions to help merchants address the challenges of log tracking and monitoring around the clock. By allowing an outside data security expert to take over the monitoring of logs, a merchant not only saves money, but gains peace of mind.

While merchants may be baffled by the barrage of data streaming from their network devices, an experienced data security company monitoring merchants' logs can provide insight into the security status of their networks, and maintaining in-house staff becomes unnecessary.

To show that you're concerned about your merchants' needs, consider using an information security service, along with your payment solutions. Merchants will know you have their well-being in mind because you will be offering not only secure payment services and technology, but also data security solutions that protect their businesses.

Michael Petitti is Chief Marketing Officer of Trustwave and is responsible for all of the company's marketing initiatives. He serves on the Merchant Risk Council's board of advisers and on The Green Sheet Inc. Advisory Board. Call him at 312-873-7291 or e-mail him at

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Impact Paysystems | Electronic Merchant Systems | Board Studios