PCI DSS Compliance and Logging: How Apica Can Help

How Apica can help with PCI DSS compliance

A quick look at the table above would indicate that having a log management or observability solution in place is not an explicit requirement for PCI DSS compliance. However, this list has several provisions that often require separate and proprietary tooling that you can quickly fulfil using a unified data platform like Apica. Additionally, the data convergence, monitoring, and management capabilities Apica provides make it extremely easy to meet PCI-DSS compliance requirements in several ways. The following sections describe exactly how Apica can help you get a few steps closer to complete PCI DSS compliance.

Protect Cardholder Data

Requirements 3 and 4 of the PCI-DSS standards mandate that you must protect cardholder data at all times. Some of the essential measures you should take to protect cardholder data include:

• protecting all cardholder information that you store
• encrypting the transmission of cardholder data across networks

Log data may not explicitly contain sensitive cardholder information. However, there is a possibility that some of that information could leak into your logs. In such situations, it is always easier to centralize your logs in a single place so that you can collectively encrypt and store that information. Apica is the only platform that uses S3-compatible storage as the primary storage layer, meaning that you could centralize your logs on Apica and encrypt and store them in a PCI-DSS compliant S3 storage service like AWS S3.

Mask sensitive information in logs

In the event sensitive cardholder data spills into your system logs, you wouldn’t want to keep them there at all, let alone for long. There’s always a good chance that your logs could include Personally Identifiable Information (PII) that can identify an individual, either on its own or in combination with other relevant data. With Apica, you can write powerful rules with custom regular expressions that match patterns in your incoming data stream and mask or replace these matched patterns before they move into your data storage layer. For example, suppose your log data contains credit card numbers. In that case, you can write rules using regular expressions that identify patterns that resemble credit card numbers and replace those strings with either randomized characters or a preset string. 

Apica enables you to set up these rules to either scan incoming data and mask PII within them in real-time or scan all of your logs across your distributed data sources to identify and conceal them in bulk. 

Implement Strong Access Control Measures

PCI-DSS requirements 7, 8, and 9 require implementing strong access control measures around accessing cardholder data. These requirements state that you should restrict access to cardholder data on a business need-to-know basis. You should also assign unique IDs to those with cardholder data access and limit physical access to this type of data. While Apica cannot help you directly adhere to these guidelines, it can let you know in the event of unauthorized access and give you the visibility you need to ensure that the access controls you’ve enforced are being followed.

By centralizing your logs and monitoring them on Apica, you can quickly identify instances of non-compliance before they become public knowledge. Apica’s built-in RBAC capabilities also enable you to set up role-based access to logs for your employees. By setting up RBAC, you can ensure that if some of your logs contain sensitive information, only those who need to know will be able to access those logs.

Regularly Monitor and Test Networks

PCI-DSS requirements 10 and 11 mandate strict monitoring for access to all network resources and regularly test security systems and processes. One of Apica’s core features is real-time monitoring and observability for distributed systems and environments. Using Apica, you can converge all of your authentication and access logs on a single platform and use this data convergence to track, monitor, and identify abuse and attempts at forced entry. Apica also ships with built-in Sigma rules that makes it a full-scale SIEM solution. Using Sigma rules, you can automatically augment incoming log data with relevant security-related events making it easier to detect threats to data security in real-time. 

Sigma rules are crowdsourced and constantly updated with the latest threat signatures, therefore ensuring that you’ve got adequate coverage against the newest types of attacks and threats. Apica also lets you visualize threats in incoming data, trigger alerts to your alert destinations, and kick-off remediation and security workflows.

Identifying and Alerting on Suspicious Activity

Sub-requirements 10.6 and 10.8 of the PCI-DSS standards mandate that you should be able to identify and respond to intrusions and unwanted access to cardholder data. While Apica SIEM capabilities help you identify threats in real-time, its alerting engine lets you transmit alerts to any destination of your choice. Apica comes with native integrations with ITOM tools such as OpsGenie and alerting tools such as Slack, HipChat, PagerDuty, Mattermost, and ChatWork. You can also integrate Apica with your email client and use webhooks to integrate with any alerting or IT automation platforms of your choice. You can leverage these native and custom integrations to trigger threat remediation and security workflows, thereby making you better equipped to deal with threats and intrusions in real-time.

In-depth Auditing and Reports

PCI DSS also requires you to generate in-depth data access reports and prove that you’re consistently following your data security practices.

Since logs are the best way to confirm continuous compliance, Apica automatically enables audit logging for all of your incoming data. Apica also has robust reporting capabilities that allow you to create ad-hoc reports on historical data. You can schedule the generation of reports with a built-in CRON job that runs periodically. For example, you can generate monthly reports listing all IP addresses that generated an invalid login attempt within any system or application.

Apica’s use of S3-compatible storage as the primary storage layer ensures that you not only store your logs for as long as you wish (without paying an exorbitant price for storage) but also have all of your stored data indexed and searchable. This means that you can generate reports that stretch way back into the past instantaneously, thereby making sure that your auditors have visibility over continuous compliance way back into the past.

Conclusion

Compliance with PCI DSS, or any other regulatory framework, may seem daunting to achieve but isn’t necessarily so. You may think that you’d need an entire arsenal of specialist tools to ensure that you’re staying compliant. However, tools like Apica provide an easier and more efficient way to achieve compliance while keeping your spending at a minimum.

Apica is the only data platform that solves the SCATTR (Scale, Convergence, Agility, TCO, Trust, and Retention) problem in data management. Most log management solutions may only help you meet a couple of PCI DSS requirements at best – that too, in conjunction with other tools or services. Apica helps you not only converge and manage your log data but also;

• secures and conceals sensitive cardholder information
• creates, manages, and governs data access using policies
• continuously monitors and assesses your systems and networks for performance and security
• alerts against threats and automates remediation
• audits your data and generates ad hoc and in-depth reports to prove continuous compliance

Getting started with Apica is easy and inexpensive. With SaaS and PaaS plans starting as low as $0.33 per GB per month, Apica can meet any budget. If you’d like to try out Apica, sign up for a 14-day free trial of Apica SaaS, or deploy the free-forever Apica PaaS Community Edition on any infrastructure of your choice.