12

Does PCI dictate how much should be logged at an application level or simply what shouldn't be logged?

I'm struggling with too much logging right now and some people who think we should have it. From a debugging perspective I've found excessive logging almost useless in the past and am kind of agreeing with Jeff Atwood on exception only logging.

I'm currently using AspectJ for about 99% of the logging in the applications I support so it isn't a big deal either way except when reviewing the logs for these exceptions and also that they are starting to take up a decent amount of room.

AviD
  • 72,138
  • 22
  • 136
  • 218
Casey
  • 895
  • 5
  • 18

2 Answers2

11

You are expected to log:

  • All individual accesses to cardholder data
  • All actions taken by any individual with root or administrative privileges
  • Access to all audit trails
  • Invalid logical access attempts
  • Use of identification and authentication mechanisms
  • Initialization of the audit logs
  • Creation and deletion of system-level objects

These must be logged with a verifiable date & time (proper time sync enabled) in an immutable manner. You should, "Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from back-up)."

You'll want to look at the whole document and understand all the sub-requirements that make up the big 12. https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf

To answer the Jeff Atwood theory, though, and maintain your own sanity, you should keep PCI DSS related logs separate from application activity logs. I would suggest that exceptions be copied into a separate log facility so that from a developer standpoint, logs are readable and sparse. From an auditor standpoint, your comprehensive logs can be, well, comprehensive and used to reconstruct activity.

Jeff Ferland
  • 38,090
  • 9
  • 93
  • 171
  • 1
    +1 for the last paragraph. I'm all in favour of having logs for different reasons going to different places, it's fairly easy to combine them for analysis should that ever be needed. –  Dec 23 '10 at 23:01
5

I have seen multiple businesses tagged for level 1 compliance achieve compliance with little to no effort made to modify their application logging beyond what was provided by default. To earn a compliance checkmark you can likely do it with showing very little (auditor inconsistency is still a wildcard though).

With that said, here are the relevant logging snippets from the Payment Application Data Security Standard (v. 2.0/Oct 2010) with regards to payment application activity:

alt text alt text

Tate Hansen
  • 13,714
  • 3
  • 40
  • 83