Virus logs & PCI compliance

[Velvis]

I client asked me if I keep virus logs for a year and have 3 months available on hand. Is this a common thing?

Also if you are not handling Credit Card transactions through your own web site what are the PCI requirements any good resources for learning more about it?

Its not a health or financial business,

 

[britechguy]

Having been the PCI compliance person (for some value of) for the art gallery I was a partner in for around 4 years, we were never asked a blessed thing related to computer viruses, and I certainly didn't maintain any logs.

I suppose if you're accepting credit cards online it might be different, but if you're not you're virtually certain to be using a dedicated terminal or device such as Square, and you have pretty much zero control over those (besides physical access to same).

 

[oldtech]

Keeping logs that long is more of a FINRA issue. Is your client a financial advisor or accountant etc?

 

[Sky-Knight]

The current PCI questionnaire basically requires 1 year of AV logs... but it also requires 1 year of login logs...

I can tell you with absolute certainty... few have them.

 

[Markverhyden]

Did you ask them what caused them to ask that question?

But, as mentioned, they need to be in certain regulated industries to have that as a requirement. And small businesses like that rely on their IT support company to properly manage that. Personally I never purge logs.

 

[phaZed]

Keeping logs that long is more of a FINRA issue. Is your client a financial advisor or accountant etc?

This.

I just setup a few new computers at a small investment business and they wanted logs kept and backed up in duplicate for 1 year for all computers, printers, routers, etc.

 

[HCHTech]

I just setup a few new computers at a small investment business and they wanted logs kept and backed up in duplicate for 1 year for all computers, printers, routers, etc.

@phaZed , how did you accomplish this? I can see batch files or ps scripts to do that periodically for computers, and any enterprise-class firewall will have a way to archive activity logs, but how do you automate this for printers, for example?

 

[phaZed]

@phaZed , how did you accomplish this? I can see batch files or ps scripts to do that periodically for computers, and any enterprise-class firewall will have a way to archive activity logs, but how do you automate this for printers, for example?

I didn't want to overtake the OP with a big story, but it's funny you ask... I didn't accomplish it, lol! They denied our managed services which would have been the solution to their issues. Among the log backups, they had a bunch of other requirements as well - patching within 1 week of release date, immediate response to Virus and malware threats, multiple versioned backups of each machine, etc.

 

[Sky-Knight]

Yep, all registers need full MSP management now to be PCI compliant. The funny part? You can't actually meed that standard unless you're using PC based registers, there is no such thing as a compliant mobile register. BUT... everyone is using them! whee!

 

[britechguy]

The funny part? You can't actually meed that standard unless you're using PC based registers, there is no such thing as a compliant mobile register. BUT... everyone is using them! whee!

Because businesses are not going to change longstanding practice, often vital to their cashflow, to be compliant with arbitrary, ever-changing on whim, and very often utterly unnecessary compliance standards.

Just based on what's been said so far in this topic, were I still in a position where I was filling out PCI questionnaires, I'd probably be lying through my teeth because virtually no one who doesn't have a full-time IT department and massive backup capability is going to be able to meet these inane requirements. There are times when I've been more than willing to "roll the dice," and this would be one of them.

Caring about printers, really?!!

 

[Sky-Knight]

@britechguy I agree... but there's a danger in that thinking as well. The reason mobile devices can't pass is they cannot be audited. The lack of root access is the critical variable here. The sandbox invites a false sense of security, and in many cases protects the malware after the breach has happened.

This is giving rise to a tremendously vulnerable infrastructure. The questionnaire is trying to force people to understand their infrastructure... in a world that wants to remain ignorant. I don't have a problem with that, but the requirements are also rather nuts.

 

[britechguy]

If anyone thinks that Square and similar services are going away, I have some oceanfront property in Omaha, NE, I'd like to sell them.

PCI compliance cannot and must not be about "ultimate security" but taking reasonable precautions against probable risks while allowing maximal ease of conducting business.

And it sure as heck isn't the responsibility of the millions of users of Square (and similar services) to jump through hoop after hoop (and lie about some of them simply because they must and have no control over much of what the PCI compliance Nazis want answers for).

 

[Sky-Knight]

I don't take issue with Square, I take issue with the platform they operate on. The service is just that, it's not responsible for the hardware it's working with. The issues at play are rights of ownership, rights of repair, and rights of access. Most of these faults lie at the feet of Google and Apple... they have little to do with payment processing companies such as Square.

Though I do make a special exemption for PayPal... that nightmare deserves a special Hell all for itself.

 

[britechguy]

Well, PayPal has been transferring untold millions (billions, probably, by now) of dollars, euros, etc.,etc., etc., safely and easily for years now, so they must be doing something right.

Most of what gets demanded, PCI Compliance wise, from end-user merchants is irrelevant and not even under their control. That simply should not be. Unless people make the effort to protest this inanity will continue unabated, and will assuredly get worse and more ridiculous.

 

[Sky-Knight]

Oh yeah, the compliance questionnaire reads more like a continuous bombardment of boiler plate junk instead of actual meaningful security items.