| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue Dec 20 18:57:06 2005 From: coderman at gmail.com (coderman) Subject: PCI Audit Logging On 12/20/05, phenfen <phenfen@...lbag.com> wrote: > ... > "Corporate policy and audit logging will be changed to include > successful and unsuccessful login attempts when attempting to access > audit logs on devices passing or storing card holder data." > > My read on this is that I just need to audit login attempts to the > server where the card holder data is stored. Is that correct? we audit database and unix logins on the server where this database is hosted. in most cases only the administrators have unix account access while other individuals have specific database/view account access. note that you also need to have distinct accounts for every user as well along with password expiration and history. (you've probably read these parts already) > According to the Visa PCI requirements, "All key management activities > should be logged..." (from the Visa Cardholder Information Security > Program v5.5): key management related to the encrypted database fields is a different issue... > I understand that my goal is to appease the auditor, but I was looking > for additional clarification or if anyone would like to share their > experience with fulfilling this requirement. hope that helps. i'd strongly suggest having a 'trial' PCI audit performed before the real thing, assuming you have the budget for such a thing. a lot of consulting co's are glad to do it (buyer beware).
Powered by blists - more mailing lists