Audit Policy settings for PCI Compliance

Audit Policy configuration required for PCI Compliance
Email It to Me Print this Page
This article describes the audit policiy required for PCI Compiance.

The following Audit Policy is required for PCI Compliance:
  • Account Logon EventsSuccess and Failure
  • Account Management EventsSuccess and Failure
  • Directory Service Access EventsFailure
  • Logon EventsSuccess and Failure
  • Object Access EventsSuccess and Failure
  • Policy Change EventsSuccess and Failure
  • Privilege Use Events - Failure
  • Process TrackingNo Auditing
  • System Events – Success and Failure

Directory Service Access Events available on a Domain Controller only.
Object Access – Used in conjunction with Folder and File Auditing. Auditing Failures reveals attempted access to forbidden secure objects which may be an attempted security breach. Auditing Success is used to provide an Audit Trail of all access to secured data, for example, card data in a settlement/transaction file/folder.

We recommend to use Netwrix File Server Change Reporter to monitor the files changes, do not enable this audit policy for Event Log Manager.
NOTE: when using Windows Server 2008 / Windows 7 or later, there is an ‘Advanced Audit Policy Configuration’ option available which allows more precise application of auditing of Object Access events and is useful in eliminating unwanted events. If available, enable the ‘Audit File System’ option only for Success, and optionally Failure, but leave other settings as ‘Not Configured

Process Tracking – not recommended as this will generate a large number of events.

We recommend to configure the following policies and to leave the other policies as is:
  • System EventsSuccess and Failure
  • Policy Change EventsSuccess and Failure
  • Account Management EventsSuccess and Failure
  • Account Logon EventsSuccess and Failure
  • Logon EventsSuccess and Failure
  • Privilege UseNo auditing
Was this information helpful?