Does PCI-DSS requirement 10 ("track and monitor all access to ... card holder data") apply if I am not storing card holder data?

Question

Requirement 10 states: Track and monitor all access to network resources and card holder data

I find this a little vague and I have two questions.

If I don't store card holder data - do I just need to monitor access to networking resources?

When they say "Card holder data" Do they mean, the Card holder data environment or specific records of card holder data? Can anyone clarify?

Answer 1

'Card holder data' is a summary of many combined concepts explained as:

• PIN your (at least) 4 digit code used to authorise transactions
• PAN (Primary account number) An 14, 15, or 16 digit number generated as a unique identifier that the issuer (not card holder) maintains ownership of
• SAD (Sensitive Authentication Data) many cards have different names, CCV is common in my country and typiccally a 3-4 digit number printed on cards
• CHD (Cardholder Data) PAN, expiry, Name, any elements of SAD
• CDE (Cardholder Data Environment) basically anywhere PAN/SAD/CHD is 'processed', 'transmitted' via, or 'stored' persistently (like a hard drive) or temporarily (like RAM) or /tmp temporary files during processing, or even the camera footage storage facing keypad of a device where a PIN or a screen where software is running.

PCI DSS 3.2.1 (current version) states;

Track and monitor all access to network resources and cardholder data

As you say it is requirement 10 which has

10.1 Implement audit trails to link all access to system components to each individual user.

10.2 Implement automated audit trails for all system components to reconstruct the following events

10.3 Record at least the following audit trail entries for all system components for each event:

10.4 Using time-synchronization technology, synchronize all critical system clocks and times and ensure that the following is implemented for acquiring, distributing, and storing time. Note: One example of time synchronization technology is Network Time Protocol (NTP).

10.5 Secure audit trails so they cannot be altered.

10.6 Perform the following:

10.6 is prescriptive and is followed by a list of things like:

10.6.1 Review the following at least daily:
All security events
Logs of all system components that store, process, or transmit CHD and/or SAD
Logs of all critical system components
Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection
systems/intrusion-prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.).
a) Examine security policies and
procedures to verify that procedures are
defined for, reviewing the following at
least daily, either manually or via log
tools:
• All security events
• Logs of all system components that
store, process, or transmit CHD and/or
SAD
• Logs of all critical system components
• Logs of all servers and system
components that perform security
functions (for example, firewalls,
intrusion-detection systems/intrusion-
prevention systems (IDS/IPS),
authentication servers, e-commerce
redirection servers, etc.).
Identify the documented security policies and
procedures examined to verify that procedures
define reviewing the following at least daily, either
manually or via log tools:
• All security events
• Logs of all system components that store,
process, or transmit CHD and/or SAD
• Logs of all critical system components
• Logs of all servers and system components that
perform security functions.
Describe the manual or log tools used for daily
review of logs.
b) Observe processes and
interview personnel to verify that the
following are reviewed at least daily:
• All security events
• Logs of all system components that
store, process, or transmit CHD and/or
SAD
• Logs of all critical system components
• Logs of all servers and system
components that perform security
functions (for example, firewalls,
intrusion-detection systems/intrusion-
prevention systems (IDS/IPS),
authentication servers, e-commerce
redirection servers, etc.)
Identify the responsible personnel interviewed who
confirm that the following are reviewed at least daily:
• All security events
• Logs of all system components that store,
process, or transmit CHD and/or SAD
• Logs of all critical system components
• Logs of all servers and system components that
perform security functions.
Describe how processes were observed to verify that the following are reviewed at least daily:
All security events.
Logs of all system components that store,
process, or transmit CHD and/or SAD.
Logs of all critical system components.
Logs of all servers and system components that
perform security functions.

This is just up to 10.6.1, there is more subsections of 10.6 and there is also 10.7 through to 10.9 that will have a lot more detail as this one example did.

So ask your QSA to share with you the ROC and you will get this level of detail for all and more, or you can go to pcisecuritystandards.org and obtain your own copy