Getting to know the PADSS audit guidelines: Log payment application activity

So far, this blog has looked at three of the requirements listed in the PCI Security Payment Application Data Security Standard, which lists various important points for payment application vendors owners to consider. The fourth requirement, as described in this May 2015 document, pertains to payment application activity and consists of several subrequirements that help it better align with the other PADSS points.

From installation to audit trails, applications should log access and keep a record of important details. These include user identification and descriptions of application access events. Administrators should be able to tell the difference between authorized activity and malicious actions.

Even if they don't constitute criminal activities themselves, some changes can be a signal that something nefarious is going on. Audit logs, for example, are often switched off before something illicit happens. By gathering enough log data, vendors will learn more about the suspicious moments involving the applications and have a record to consult after the fact.

Finally, the requirement also lists "centralized logging" as crucial for applications. The log used by the application should be translatable into other modes, making it easier to enforce timely functioning.

This isn't the only standard that recommends this practice. The Visa Asia Pacific Account Information Security Program references same points as the PADSS in its own Best Practices list. It also generally identified the many ways PCI DSS compliance impacts breaches that could compromise many different types of information. Card validation codes, stripe data and PIN blocks are all at possible risk when vendors don't take pains to protect them. 

Be sure to return to our blog as we look at more of the PADSS requirements. For more information on efficient and affordable payment processing software, contact 911 today. 

Scroll to Top