The Payment Card Industry (PCI) Data Security Standard (DSS) requires organizations that deal with credit card transactions to “Implement automated audit trails for all system components to reconstruct all individual user accesses to cardholder data.” (Section 10.2). Complying with this requirement poses a significant challenge for organizations that rely on both legacy and modern applications, since most applications do not include logging mechanism that allows reconstruction of user access events to cardholder data.
Developing such a mechanism in-house, involves tremendous effort, since thousands of the organization’s programs need to be changed. An alternative solution that tracks access to the corporate databases is insufficient, since it typically tracks only “update” actions performed in the database, but does not cover “read” actions. Even if “read” actions are tracked, in many cases the user-id is not captured since many applications use generic user-id for database access. Another type of solution which is usually considered is log aggregation. This type of solution can help solving other requirements of the DSS, but it relies on data provided by the existing application logs, and if this information is insufficient then log aggregation will not help comply with section 10.2.
Intellinx provides unparalleled visibility into the interaction of all organization employees with the internal business applications. This includes users with root or administrative privileges. Every screen viewed and every keystroke made by end-users is recorded and stored by the system allowing for visual reconstruction of the access events. The Intellinx solution is non-invasive and does not require any changes or installation on existing hosts or clients and does not have any performance impact.