Non-human Payment Application Logs

The Assessor Update for September 2010 has an amusing clarification about what to log. Apparently some PA-QSA believed that if there was no human interaction with a system then “individual access” was not required for logs. Not true, says the PCI SSC. They give the following details:

10.2.1 All individual accesses to cardholder data

10.2.2 All actions taken by any individual with root or administrative privileges

10.2.3 Access to all audit trails

10.2.4 Invalid logical access attempts

10.2 5 Use of identification and authentication mechanisms

10.2.6 Initialization of the audit logs

10.2.7 Creation and deletion of system-level objects

Even if a payment application cannot be configured to provide individual access to cardholder data (possibly supporting a finding of N/A for 10.2.1), the application must still be assessed against each of the other requirements listed above. Again, not all of these events require active interaction by a human user to be performed, and these activities must be logged regardless of what type of account is performing them.


Thus, individual access now clearly means for human or non-human accounts.

One can only assume that someone might have thought they could get around log requirements by hiring a parrot to run their POS. “Squawk! Credit card number please. Squawk!”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.