There are nine major groupings of requirements in PCI DSS for Audit (all audit requirements have the 10.x nomenclature).
Fluency provides a PCI DSS compliance. Some requirements need action by the customer, like daily monitoring. Other require making sure the data gets to us or changing audit data as to capture all the proper fields.
Here is an overview of the PCI DSS to Fluency feature:
PCI DSS Requirement Group
10.1 Implement audit trails to link all access to system components to each individual user.
Correlation Engine links actions to person logged in via LDAP. Also merges data from VPN and firewalls that have user identification as part of their audit log.
10.2 Implement automated audit trails for all system components to reconstruct events.
Fluency can collect via syslog or poll interfaces to collect data. Pricing allows it so customers can store it all.
10.3 Record at least the following audit trail entries for all system components for each event log entries: user identification, type of event, date and time, success or failure indication and origination of event
Fluency's staff will help write parsers so that all the fields are parsed and stored. During this process, Fluency will highlight audit logs that are incomplete.
10.4 Using time-synchronization technology, synchronize all critical system clocks and times and ensure that the following is implemented for acquiring, distributing, and storing time.
All logs send to Fluency receive a second timestamp for an internal time system. All time is recorded in GMT.
10.5 Secure audit trails so they cannot be altered.
Fluency's LavaDB is immutable. Data is streamed in, but never deleted. Fluency Pseudonym capability allows token-value cables were data can be deleted to meet GDPR and CCPA requirements.
10.6 Review logs and security events for all system components to identify anomalies or suspicious activity.
Fluency Machine Learning highlights anomalies in the RiskScore module and sends notification on high-confidence issues.
10.7 Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup).
By default, Fluency stores 90-hot and one year cold. Fluency is capable of meeting longer retention requirements.
10.8 Additional requirement for service providers only: Implement a process for the timely detection and reporting of failures of critical security control systems.
Fluency's notification system set automated email (or RESTful) alerts to the customer. Additional MSSP support can be added to Fluency.
10.9 Examine documentation and interview personnel to verify that security policies and operational procedures for monitoring all access to network resources and cardholder data are: Documented, In use, and Known to all affected parties.
Fluency's international operations are documented in its security and business operations gitbook. This book is maintained by the users to the latest Standard Operational Procedures.