In June 2010, the approved an updated version of the document "The Use of Audit Trails in Security Systems: Guidelines for European Banks" (a link is included at the end of this article). These guidelines support payment service providers () in complying with requirements established to ensure information security, i.e. protecting the confidentiality, integrity and availability of data underlying a payment transaction. Specifically, the revised guidelines now include recommendations regarding the maintenance of so-called audit trails (or audit logs) of payment systems. Audit trails form part of any information security management system: they feature a chronological sequence of audit records where each record pertains to the execution of a specific business process or system function. Audit records typically result from activities such as transactions or communications triggered by individual people, systems, accounts or other entities. Such records - as documented in the audit trail - are ultimately relied upon to validate whether the system controls designed to ensure information security are adequate. Björn Flismark details the guidelines approved by the EPC on the use of audit trails in security systems.
Extended scope of the guidelines on the use of audit trails now also cover payment processes
The guidelines for the use of audit trails in security systems were first created in 20011 to provide good practice recommendations on how computer and system audit trails should be captured, stored and used to support the management and operation of security in banking computer systems. The previous edition of these guidelines, however, did not consider audit trails of payment systems. The scope of the updated edition now approved by the was extended to include payments-related data taking into consideration the implementation of harmonised Payment Schemes.
The secure capture and storage of the audit trails of payment records, along with the relevant security audits, may, amongst others, serve as evidence in any related dispute resolution process. Such dispute resolution could take place between or between PSPs and their customers. The revised document is the basis from which specific guidance might be developed over time applicable to SEPA Payment Schemes and PSPs participating in these Schemes.
The updated guidelines also take into account that internationally agreed security requirements are placing ever-greater emphasis on the need to capture transactional audit trails. The guidelines focus on IT Security and audit trails for security-related purposes as well as on the audit trails of business processes of banks, namely the processing of payments. The changes compared to the previous edition include updates of the bibliography and an extensive review of the principles (or recommendations, as they were called in the previous version) with a view to improve clarity and to ensure that these principles are aligned with present requirements regarding information security. Last but not least, the document could serve as reference in service level agreements when outsourcing certain processing activities to third parties.
The EPC guidelines on the use of audit trails are fit for purpose and applicable to any business unit
PSPs must regularly conduct audits to validate whether appropriate controls ensuring information security are in place. Such security audits consist of an independent review and examination of a system's records and activities to determine the adequacy of system controls and to ensure compliance with established security policy and procedures. The validation of system controls will usually rely on a so-called audit trail; e.g. a chronological record of system activities which allows reconstructing and examining the environment and processes impacting a security-relevant transaction. Such activities are documented in an audit log featuring a chronological sequence of audit records. An audit record is a single entry that describes one single auditable event. The systematic review of business processes or system functions as reflected in the audit log thus allows detection of possible breaches in security policies and - in the event that such breaches are identified - to develop recommendations on how to improve system controls.
The updated guidelines approved by the EPC offer practical, easy-to-use principles allowing PSPs to implement a secure audit trails strategy. These principles are applicable to any part of an organisation such as a business unit, corporate headquarter or data centres.
The document specifies audit principles in the following areas:
- Audit system design including events to be recorded, format and fields of records, audit tools
- Management of audit logs including ownership, access and classification of audit data, generation, storage and back-up of audit trails
- Retention periods
- Application and use of audit logs (e.g., internal investigations, presentation to court)
The EPC guidelines on the use of audit trails in security systems are available for download on the EPC web site (see link below).
Björn Flismark served as the Chair of the EPC Information Security Support Group (ISSG) until June 2010. He has been succeeded as Chair of the ISSG by Ruth Wandhöfer.
1The document was first published by the ECBS (European Committee for Banking Standards); the EPC has taken over the ECBS tasks and maintains a portfolio of documents originally created by the ECBS.
If you would like to comment on this article, please identify yourself with your first and last name. Your name will appear next to your comment. Email addresses will not be published. Please note that by accessing or contributing to the discussion you agree to abide by the EPC website Terms and Conditions.