What Requirement 10 Means to You
So what does all of this mean for you—the owner or administrator—who must comply with all of the requirements set forth by the PCI DSS? In a nutshell, it means that you must be able to identify who was logged into or using a system at any given time, what they did on the system and whether they accessed the system in person or over an electronic connection.
The DSS sets forth the requirements contained in Section 10 because they are the most reliable method of identifying users accessing data on electronic systems. With enough of these elements successfully and functionally implemented, they will provide a state of non-repudiation, which means that a user cannot challenge or deny that they performed the action in question. In fact, without non-repudiation there is almost no chance that you can successfully prosecute someone for theft or criminal actions conducted online. The DSS is explicit about the requirements for auditing and logging.
For more information on how we can help you become PCI compliant please contact us.