Hi,

In case an iso8583 message gets into the payment system and the system is unable to interpret the message; is it ok for the application to log the raw message for trouble-shooting?

Risk involved is that track2 may be part of the message, but there's no way to tell since message is unreadable.


Thanks. :)

I also have a question regarding logging. If a user account has read only privileges, the log files do not have to log that user's activities correct? (other than user logged on and off).

Also, if a user with admin logs on, does logging need to track every detail? Or can it simply log only when a user has changed from default settings? What is the scoop?

How about in the case of an application that has cc info flow through only, ie. is not captured (other than in log files where only encrypted (gibberish) cc# is recorded as #$@%@@~ to indicate that the transaction involved a cc# and not cash? Does detailed logging need to be activated? If so why? No sensitive info can be garnered from this application. It cannot be used for anything other than a 'conduit' (it's a middleware).

In case an iso8583 message gets into the payment system and the system is unable to interpret the message; is it ok for the application to log the raw message for trouble-shooting?

Risk involved is that track2 may be part of the message, but there's no way to tell since message is unreadable.

I would recommend keeping this sort of diagnostic information local in an encrypted file separate from any actual log. I would then generate some sort of alert message that would identify the error and the system with the error that would go into your system or application log that would then trigger someone to review the real information on the local system. Once resolved, the encrypted file would be cleared.

I also have a question regarding logging. If a user account has read only privileges, the log files do not have to log that user's activities correct? (other than user logged on and off).

No, you only have to log users that access cardholder data (CHD).

Also, if a user with admin logs on, does logging need to track every detail? Or can it simply log only when a user has changed from default settings? What is the scoop?

I'm assuming you are talking about your centralized logging server here. Remember, this is a 'bastion' server in your network and should be treated as such. You want to log EVERYTHING that occurs to this system as you never know what resulted in something else happening.

How about in the case of an application that has cc info flow through only, ie. is not captured (other than in log files where only encrypted (gibberish) cc# is recorded as #$@%@@~ to indicate that the transaction involved a cc# and not cash? Does detailed logging need to be activated? If so why? No sensitive info can be garnered from this application. It cannot be used for anything other than a 'conduit' (it's a middleware).

What you describe is acceptable logging in my book.

Remember why logging is important. IF you are ever breached, your logs will likely be your primary evidence for the forensic examiners to prove that you were PCI compliant at the time of the breach. Little or no evidence, the more likely you will be judge non-compliant. So, ask your management which they would prefer, save on log storage and risk being likely judged non-PCI compliant or spend a bit more and have the evidence? Most risk adverse managers will vote for spending a bit more money.