PCI DSS stands for Payment Card Industry Data Security Standards. It is a set of compliance regulations that any eCommerce and WordPress site that deals with cardholder data has to adhere to. Websites have to be compliant even if they do not store cardholder data and uses a third party payment gateway.
PCI DSS compliance consist of 12 different requirements which cover every aspect of network, physical and web application security that is required to protect the cardholder data and achieve compliance.
In this post we will focus specifically on how PCI DSS requirement 10 applies to WordPress sites and what you need to do to have a compliant website.
PCI DSS Requirement 10: Track and monitor all access to network resources and cardholder data
“Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise.” – PCI DSS Requirement 10.
In short, this PCI DSS requirement requires organizations to use an audit / activity log system on their networks and websites to keep a log of the changes. Logs are required for accountability and also to trace back user activity. This is important for forensic work and to identify the cause of a security breach.
Therefore when you use WordPress to power your business sites, install a WordPress activity log plugin. However compliance does not just stop there. The PCI DSS requirement 10 is split into several sub-sections and goes into the technicalities of how the system should work, what it should keep a log of and more, as explained in this article.
PCI DSS Requirement 10.1
Implement activity logs to link all access to system components to each Individual user.
Even though your WordPress sites, payment gateways and other services you use are are individual systems, a change in one can affect the others. So to comply with this requirement you have to keep track of all the changes that happen on all the systems, and who did the change. So in the case of an unwanted change it is easy to find out who did it.
Check the activities of every user on your payment gateway and WordPress site, especially WooCommerce shop managers. Ideally you should also generate frequent WordPress user activity reports and have them reviewed.
PCI DSS Requirement 10.2
Implement automated activity logs for all system components to reconstruct the following events.
This sub-section of PCI DSS requirement 10 details what should the system keep a log of and how it should be setup. It also emphasizes that all logging should be automated, to avoid human errors.
10.2.1: All Individual user accesses to cardholder data: the WordPress activity log solution should keep a log of generic user actions leading to accessing possible sensitive data, such as logins, or when they access a page which allows access to the data.
10.2.2: All actions taken by any individual with root or administrative privileges: individuals with administrator role on WordPress, or super admin roles on a WordPress multisite network have access to everything. Hence it is imperative to track the activity of these users. There should be no exceptions to WordPress administrators and super admins.
10.2.3: Access to all activity logs: to comply with this requirement businesses need to be able to verify who accessed the activity logs. When using the WP Activity Log plugin you can restrict access to the WordPress activity logs to specific authenticated WordPress users.
10.2.4: Invalid logical access attempts: the activity log plugin you use for your WordPress sites should keep a log of both failed and successful logins. A log of failed logins is important because frequent attempts can be a sign of a possible attack.
10.2.5 Use of and changes to identification and authentication mechanisms—including but not limited to creation of new accounts and elevation of privileges—and all changes, additions, or deletions to accounts with root or administrative privileges: The WordPress activity log plugin should keep a record of all non-trivial user profile changes, such as password resets, email address change or user role and privileges changes. Even though such changes can be legitimate, always double check who did the change to confirm its legitimacy.
10.2.6 Initialization of Assessment Logs: malicious users always try to delete the records or logs to hide their traces. Therefore the plugin should keep a log whenever the logs are purged or paused.
10.2.7 Creation and deletion of system-level objects: when a WordPress site is hacked or infected with malware, system-level objects such as the database or files are modified. So to comply, the WordPress activity log plugin should keep a log of database changes and have WordPress file integrity checks.
PCI DSS Requirement 10.3
Record at least the following activity log entries for all system components for each event
This requirement highlights all the details every event in the activity log should have:
- User identification (WordPress username and role)
- Type of event
- Date and Time
- Indication if it was a success or a failure
- Origination of event
- Name or identification of affected component or resource
The WP Activity Log plugin for WordPress records all of the above mentioned information for each and every event in the WordPress activity log.
PCI DSS Requirement 10.4
Using time-synchronization technology, synchronize all critical system clocks and times and ensure that the following is implemented for acquiring, distributing, and storing time.
Synchronization of time between the different systems is crucial. Otherwise you won’t be able to trace back activity and build a sequence of events when using data from multiple log files.
WordPress uses the system time of the server it is hosted on. Also, the administrator can configure the time zone for the site. So confirm that the web server’s time is synchronized and the correct time zone is configured on the WordPress site. The WP Activity Log plugin uses the timestamp configured in WordPress in the activity logs.
PCI DSS Requirement 10.5
Secure activity logs so they cannot be altered
Like other sensitive data, the WordPress activity logs need to be secured and protected, so they cannot be tampered with. This section details how you can to comply:
10.5.1 Limit viewing of activity logs to those with a job-related need: configure who can access the logs. Ideally first block everyone and then allow only those who require access rather than the other way round.
10.5.2 Protect activity log files from unauthorized modifications
10.5.3 Promptly back up activity log files to a centralized log server or media that is difficult to alter
10.5.4 Write logs for external-facing technologies onto a secure, centralized, internal log server or media device
10.5.5 Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert)
Requirements 10.5.2 up to 10.5.5 can be met by segregate the activity logs data from the WordPress site data. If resources allow create multiple copies of the logs database, or mirror it to centralized solutions, such as Slack and Syslog.
The WP Activity Log plugin has several third party services integration tools you can use to keep the activity logs secure and to also easy mirror them to central logs management solutions such as AWS CloudWatch and Loggly.
PCI DSS Requirement 10.6
Review logs and security events for all system components to identify anomalies or suspicious activity.
In an ideal world WordPress site administrators have the time to manually review the activity logs, as well the logs of the web server service, database server, and the system.
However, even though we strongly encourage everyone to do so, I doubt there is anyone who does it. Everyone is so very busy! Hence why it is important to setup a WordPress intrusion Detection System (IDS) that can automatically alert you when there is something suspicious in the WordPress activity logs, like a user login during unusual hours or from an unusual location.
PCI DSS Requirement 10.7
Retain activity log history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup).
Many security compromises are discovered weeks and sometimes even months after the actual occurrence. So the WordPress site activity logs should be kept for at least one year. If you can keep logs for much longer, do so. You can never say what you might need the logs for.
You can configure the data retention policies of the WordPress activity logs when you use the WP Activity Log plugin.
PCI DSS Requirement 10.8
Implement a process for the timely detection and reporting of failures of critical security control systems, including but not limited to failure of firewalls, IDS/IPS, FIM, anti-virus, Physical access controls, logical access controls, activity logging mechanisms, segmentation controls.
This sub requirement only applies to service provider businesses. However it is still worth a mention: businesses must implement checks and notifications for when control systems fail.
Start with something simple, like a ping test. When the system becomes more complex build a robust up time check system for your WordPress sites. There is quite a good variety of third party services you can use for this.
PCI DSS Requirement 10.9
Ensure that security policies and operational procedures for monitoring all access to network resources and cardholder data are documented, in use, and known to all affected parties.
As your WordPress site and business grow, the setup becomes more complex. Some eCommerce WordPress sites have thousands of users with different privileges. You might already have multiple administrators managing your WordPress multisite network.
So document all the processes and systems to ensure all administrators know the system well. For example keep a list of all the installed plugins and what is the purpose of each plugin. Document where all data is stored, how it is stored and the configured retention periods.
Anything that can help your team get a better understanding of your business operations and WordPress sites helps.
WordPress Activity Logs and PCI DSS Requirement 10
In this post we have explained what you need to do to have a PCI DSS Requirement 10 compliant WordPress site or multisite network. It might sound like a lot, however it is not. All you need to do is install the WP Activity Log plugin, and:
- configure the external storage and mirroring of the activity logs
- configure the activity log data retention
- confirm that only the users with the right privileges can view the activity log data.
Another option would be to mirror your WordPress website activity log to a logs management system, after making sure the logs management system is PCI DSS compliant. Can’t be simpler! I also recommend you to go a step further and configure some WordPress activity log email notifications, so you are alerted of suspicious behaviour early, allowing you to take the necessary evasive actions.
Monitor user and system activity with support for 3rd party plugins and session management.
Having a PCI DSS Compliant WordPress Site
Requirement 10 is only one of the 12 requirements your website needs to comply with to be PCI DSS compliant. To learn more read the definitive guide to PCI DSS Compliance for WordPress eCommerce and business sites.