PCI Compliance — SIEM Solutions Protecting Your Data
The Payment Card Industry Data Security Standard (PCI DSS) is a set of compliance requirements that apply to any organization that processes or stores credit card information. If a company fails to meet PCI DSS compliance, they can face penalties, fines, forensic investigations, and liability for fraudulent charges, along with negative impact to their brand.
Blumira PCI DSS Monitoring and Reporting
The Blumira platform performs a wide range of monitoring and reporting capabilities that can help organizations with PCI DSS 4.1, 5.2, 6.3, 10.1-10.8 and 12.10.
-
Requirement 4: Protect Cardholder Data with Strong Cryptography: 4.0
Requirement 4: Protect Cardholder Data with Strong Cryptography: 4.0
PCI DSS 4.2.1 – Strong cryptography and security protocols are implemented as follows to safeguard primary account numbers (PAN) during transmission over open, public networks:
- Only trusted keys and certificates are accepted.
- Certificates used to safeguard PAN during transmission over open, public networks are confirmed as valid and are not expired or revoked.
- The protocol in use supports only secure versions or configurations and does not support fallback to, or use of insecure versions, algorithms, key sizes, or implementations.
- The encryption strength is appropriate for the encryption methodology in use.
Blumira alerts organizations to insecure protocols being used like File Transfer Protocol (FTP) and Telnet.
-
Requirement 5: Protect Systems Against Malware; Update Anti-virus Software
Requirement 5: Protect Systems Against Malware; Update Anti-virus Software: 5.0
PCI DSS 5.3.4 – Audit logs for the anti-malware solution(s) are enabled and retained in accordance with Requirement 10.5.1. Audit logs allow an entity to determine how malware entered the environment and track its activity when inside the entity’s network.
PCI DSS 5.2 – Ensure that all anti-virus mechanisms are kept current, and perform periodic scans as well as generate audit logs (retained per PCI DSS 10.7).
Blumira helps customers by retaining and analyzing audit logs.
Requirement 4: Protect Cardholder Data with Strong Cryptography: 4.0
PCI DSS 4.2.1 – Strong cryptography and security protocols are implemented as follows to safeguard primary account numbers (PAN) during transmission over open, public networks:
- Only trusted keys and certificates are accepted.
- Certificates used to safeguard PAN during transmission over open, public networks are confirmed as valid and are not expired or revoked.
- The protocol in use supports only secure versions or configurations and does not support fallback to, or use of insecure versions, algorithms, key sizes, or implementations.
- The encryption strength is appropriate for the encryption methodology in use.
Blumira alerts organizations to insecure protocols being used like File Transfer Protocol (FTP) and Telnet.
Requirement 5: Protect Systems Against Malware; Update Anti-virus Software: 5.0
PCI DSS 5.3.4 – Audit logs for the anti-malware solution(s) are enabled and retained in accordance with Requirement 10.5.1. Audit logs allow an entity to determine how malware entered the environment and track its activity when inside the entity’s network.PCI DSS 5.2 – Ensure that all anti-virus mechanisms are kept current, and perform periodic scans as well as generate audit logs (retained per PCI DSS 10.7).
Blumira helps customers by retaining and analyzing audit logs.
-
Requirement 10: Track and Monitor Access to Network Resources and Cardholder Data: 10.1
Requirement 10: Track and Monitor Access to Network Resources and Cardholder Data: 10.1
PCI DSS 10.1 – Implement audit trails to link all access to system components to each individual user. PCI 10.0 emphasizes the importance of logging mechanisms to track user activities in order to prevent, detect or minimize the impact of a compromise. It can be very difficult or impossible to determine the root cause of a compromise without system activity logs.
The Blumira security platform can help you meet certain aspects of the PCI DSS requirement 10. Blumira collects security event logs and retains them for up to one year, providing an audit trail that helps you to trace suspicious activity back to specific users.
-
Requirement 10: Implement Audit Logs: 10.2.
Requirement 10: Implement Audit Logs: 10.2.
10.2.1 – Audit logs are enabled and active for all system components and cardholder data.
10.2.1.1 – Audit logs capture all individual user access to cardholder data.
10.2.1.2 – Audit logs capture all actions taken by any individual with administrative access, including any interactive use of application or system accounts.
10.2.1.3 – Audit logs capture all access to audit logs.
10.2.1.4 – Audit logs capture all invalid logical access attempts.
10.2.1.5 – Audit logs capture all changes to identification and authentication credentials including, but not limited to creation of new accounts, elevation of privileges, and all changes, additions, or deletions to accounts with administrative access.
10.2.2 – Audit logs record the details for each auditable event including user identification, type of event, date and time success and failure indication, origination of event, and identity or name of affected data, system component, resource, or service - for example, name and protocol.
10.3.1 – Read access to audit logs files is limited to those with a job-related need.
10.3.2 – Audit log files are protected to prevent modifications by individuals.
Blumira collects your log data from different systems and applications, including all relevant information about users, type of event, data and time, origin of event and more. Then, the Blumira security platform analyzes your data in near real-time to automatically detect threats and alert you to any anomalies, including suspicious activity within your environment.
To reduce the noise of false positives and alert fatigue, the Blumira security team uses the latest intel from different threat feeds for fine-tuned detection rules and alerts. Blumira reviews logs to determine security and operational risk, and makes them available to organizations for periodic review, which can be used for their own policy and procedural purposes.
Blumira users can also generate existing or new reports to meet any compliance needs on a scheduled basis. Blumira reporting also allows organizations to easily search their own logs to view trends related to access attempts, like failed logins. With certain integrations, Blumira can collect and notify you of administrative activity, the elevation of privileges, and all changes to user accounts.
The Blumira log database is only accessible to internal Blumira services and parties that require access. Blumira maintains raw log data while tracking and identifying log messages to ensure data integrity and validation.
Through periodic review and internal processes, Blumira validates that incoming logs have not been tampered with, while alerting customers if any audit logs are cleared to help protect them from modification by attackers or insiders that may want to hide their activity.
Blumira also provides documentation and Group Policy Object configurations to fully enable and enhance Windows logging, in order to enable as many valuable security logs as possible.
-
Requirement 10: Review Audit Logs: 10.4 & 10.4.1
Requirement 10: Review Audit Logs: 10.4 & 10.4.1
10.4 – Audit logs are reviewed to identify anomalies or suspicious activity.
10.4.1 – The following audit logs are reviewed at least once daily: All security events, logs of all system components that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD), logs of all critical system components, and logs of all servers and system components that perform security functions - for example, network security controls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), and authentication servers.
Good Practice Guidance From PCI DSS provides good practice guidance that recommends checking logs daily (7 days a week, 365 days a year, including holidays) to minimize the amount of time and exposure of a potential breach. Log harvesting, parsing, and alerting tools, centralized log management systems, event log analyzers, and security information and event management (SIEM) solutions are examples of automated tools that can be used to meet this requirement.
To help reduce the manual effort for customers, the Blumira team of security experts writes and maintains detection rules, and then deploys them into the platform to automate threat analysis, detection and response. We focus on real attacker behavior patterns, testing and tuning our rules to reduce noisy alerts and false positives, which surfaces meaningful findings through playbooks that guide customers through remediation.
-
Requirement 10: Automated Audit Log Review: 10.4.1.1
Requirement 10: Automated Audit Log Review: 10.4.1.1
10.4.1.1 is currently a “best practices” requirement, but will be mandatory in 2025. When it’s mandatory, manual review of logs will no longer be an option, and all organizations that fall under PCI DSS requirements must use a SIEM or other equivalent tool that automatically analyzes logs for signs of attacker behavior.
Once Blumira receives logs from a supported system, our expert-created and maintained detection rules find logs that show evidence of attacker behavior in a system. If a rule is triggered, system administrators are notified, and if needed, Blumira SecOps support is available 24/7 to assist with urgent issues.
-
Requirement 10: Retention of Audit Log History: 10.5
Requirement 10: Retention of Audit Log History: 10.5
10.5.1 – Retain audit log history for at least 12 months, with at least the most recent three months immediately available for analysis.
Blumira retains one year of your organization’s audit log history in hot storage, which means it’s immediately available to help with forensic analysis. Many cyber insurance policies also require at least a year of log data retained, as well as centralized logging, detection, and response. Without meeting this requirement, it can be challenging to get insured or get a claim paid out after a security incident.
-
Requirement 10: Control System Failure Detection
Requirement 10: Control System Failure Detection
10.7 – Failures of critical security control systems are detected, reported, and responded to promptly.
Blumira deploys security policies to monitor access to networks and data where relevant and possible, based on incoming data. Once integrated with other security tool feeds, such as firewalls, identity and access management, endpoint protection, servers and cloud infrastructure, Blumira can monitor, detect, and report any operational disruptions. This helps organizations recognize and respond in a timely manner to any critical security control failures.
Requirement 10: Track and Monitor Access to Network Resources and Cardholder Data: 10.1
PCI DSS 10.1 – Implement audit trails to link all access to system components to each individual user. PCI 10.0 emphasizes the importance of logging mechanisms to track user activities in order to prevent, detect or minimize the impact of a compromise. It can be very difficult or impossible to determine the root cause of a compromise without system activity logs.
The Blumira security platform can help you meet certain aspects of the PCI DSS requirement 10. Blumira collects security event logs and retains them for up to one year, providing an audit trail that helps you to trace suspicious activity back to specific users.
Requirement 10: Implement Audit Logs: 10.2.
10.2.1 – Audit logs are enabled and active for all system components and cardholder data.
10.2.1.1 – Audit logs capture all individual user access to cardholder data.
10.2.1.2 – Audit logs capture all actions taken by any individual with administrative access, including any interactive use of application or system accounts.
10.2.1.3 – Audit logs capture all access to audit logs.
10.2.1.4 – Audit logs capture all invalid logical access attempts.
10.2.1.5 – Audit logs capture all changes to identification and authentication credentials including, but not limited to creation of new accounts, elevation of privileges, and all changes, additions, or deletions to accounts with administrative access.
10.2.2 – Audit logs record the details for each auditable event including user identification, type of event, date and time success and failure indication, origination of event, and identity or name of affected data, system component, resource, or service - for example, name and protocol.
10.3.1 – Read access to audit logs files is limited to those with a job-related need.
10.3.2 – Audit log files are protected to prevent modifications by individuals.
Blumira collects your log data from different systems and applications, including all relevant information about users, type of event, data and time, origin of event and more. Then, the Blumira security platform analyzes your data in near real-time to automatically detect threats and alert you to any anomalies, including suspicious activity within your environment.
To reduce the noise of false positives and alert fatigue, the Blumira security team uses the latest intel from different threat feeds for fine-tuned detection rules and alerts. Blumira reviews logs to determine security and operational risk, and makes them available to organizations for periodic review, which can be used for their own policy and procedural purposes.
Blumira users can also generate existing or new reports to meet any compliance needs on a scheduled basis. Blumira reporting also allows organizations to easily search their own logs to view trends related to access attempts, like failed logins. With certain integrations, Blumira can collect and notify you of administrative activity, the elevation of privileges, and all changes to user accounts.
The Blumira log database is only accessible to internal Blumira services and parties that require access. Blumira maintains raw log data while tracking and identifying log messages to ensure data integrity and validation.
Through periodic review and internal processes, Blumira validates that incoming logs have not been tampered with, while alerting customers if any audit logs are cleared to help protect them from modification by attackers or insiders that may want to hide their activity.
Blumira also provides documentation and Group Policy Object configurations to fully enable and enhance Windows logging, in order to enable as many valuable security logs as possible.
Requirement 10: Review Audit Logs: 10.4 & 10.4.1
10.4 – Audit logs are reviewed to identify anomalies or suspicious activity.
10.4.1 – The following audit logs are reviewed at least once daily: All security events, logs of all system components that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD), logs of all critical system components, and logs of all servers and system components that perform security functions - for example, network security controls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), and authentication servers.
Good Practice Guidance From PCI DSS provides good practice guidance that recommends checking logs daily (7 days a week, 365 days a year, including holidays) to minimize the amount of time and exposure of a potential breach. Log harvesting, parsing, and alerting tools, centralized log management systems, event log analyzers, and security information and event management (SIEM) solutions are examples of automated tools that can be used to meet this requirement.
To help reduce the manual effort for customers, the Blumira team of security experts writes and maintains detection rules, and then deploys them into the platform to automate threat analysis, detection and response. We focus on real attacker behavior patterns, testing and tuning our rules to reduce noisy alerts and false positives, which surfaces meaningful findings through playbooks that guide customers through remediation.
Requirement 10: Automated Audit Log Review: 10.4.1.1
10.4.1.1 is currently a “best practices” requirement, but will be mandatory in 2025. When it’s mandatory, manual review of logs will no longer be an option, and all organizations that fall under PCI DSS requirements must use a SIEM or other equivalent tool that automatically analyzes logs for signs of attacker behavior.
Once Blumira receives logs from a supported system, our expert-created and maintained detection rules find logs that show evidence of attacker behavior in a system. If a rule is triggered, system administrators are notified, and if needed, Blumira SecOps support is available 24/7 to assist with urgent issues.
Requirement 10: Retention of Audit Log History: 10.5
10.5.1 – Retain audit log history for at least 12 months, with at least the most recent three months immediately available for analysis.
Blumira retains one year of your organization’s audit log history in hot storage, which means it’s immediately available to help with forensic analysis. Many cyber insurance policies also require at least a year of log data retained, as well as centralized logging, detection, and response. Without meeting this requirement, it can be challenging to get insured or get a claim paid out after a security incident.
Requirement 10: Control System Failure Detection
10.7 – Failures of critical security control systems are detected, reported, and responded to promptly.
Blumira deploys security policies to monitor access to networks and data where relevant and possible, based on incoming data. Once integrated with other security tool feeds, such as firewalls, identity and access management, endpoint protection, servers and cloud infrastructure, Blumira can monitor, detect, and report any operational disruptions. This helps organizations recognize and respond in a timely manner to any critical security control failures.
-
Requirement 12: Respond to Suspected and Confirmed Incidents
Requirement 12: Respond to Suspected and Confirmed Incidents
12.10 – Suspected and confirmed security incidents that could impact the CDE are responded to immediately
The incident response cycle starts with reliable identification and validation of qualified security events. Blumira rules can help you identify suspicious activity and potential threats to get you started with your incident response plan. Built-in playbooks also accompany every finding, helping you respond quickly.
-
Appendix A1
Appendix A1
A1.1 – Multi-tenant service providers protect and separate all customer environments and data.
A1.2 Multi-tenant service providers facilitate logging and incident response for all customers
Blumira only uses PCI DSS-approved cloud-hosted solutions within Google Cloud Platform. Our on-site sensor limits access, as well as only performs limited actions, and the security of the host is managed by the organization.
All Blumira data is encrypted and accessible only through role-based access controls. Blumira holds and analyzes audit logs for CDEs to ensure consistent authentication. Organizations can use this data to perform daily reviews within our Reporting dashboard, which includes access to all raw data gathered within the environment.
With integrations, Blumira ensures that logs are enabled and active by default for common third-party applications, and available for review only by the owning customer.
Requirement 12: Respond to Suspected and Confirmed Incidents
12.10 – Suspected and confirmed security incidents that could impact the CDE are responded to immediately
The incident response cycle starts with reliable identification and validation of qualified security events. Blumira rules can help you identify suspicious activity and potential threats to get you started with your incident response plan. Built-in playbooks also accompany every finding, helping you respond quickly.
Appendix A1
A1.1 – Multi-tenant service providers protect and separate all customer environments and data.
A1.2 Multi-tenant service providers facilitate logging and incident response for all customers
Blumira only uses PCI DSS-approved cloud-hosted solutions within Google Cloud Platform. Our on-site sensor limits access, as well as only performs limited actions, and the security of the host is managed by the organization.
All Blumira data is encrypted and accessible only through role-based access controls. Blumira holds and analyzes audit logs for CDEs to ensure consistent authentication. Organizations can use this data to perform daily reviews within our Reporting dashboard, which includes access to all raw data gathered within the environment.
With integrations, Blumira ensures that logs are enabled and active by default for common third-party applications, and available for review only by the owning customer.
Additional Compliance Resources
View moreMeeting Florida's 2025 Cybersecurity Deadline: Funding and Compliance
Read MoreState of Florida Cybersecurity: Local Governments Must Comply by Jan. 1, 2025
Read MoreCustomer Story: Erinapp
Read MoreGet Started for Free
Experience the Blumira Free SIEM, with automated detection and response and compliance reports for 3 cloud connectors, forever.