I am a retail systems network analyst for a major facility supplies retailer in Canada and I am currently neck deep in PCI compliance initiatives. We had passed our audit three years in a row with flying colors and all of a sudden this year we failed even though nothing had changed (result of our auditor’s interpretation of the DSS).
You need to be able to determine which files were accessed for requirement 10. In our retail environment we had to enable file auditing on any directory that contained critical CC information (although encrypted). We then use a product called GFI to scoop up the events and a Trend Micro Deep Security product to analyze and send alerts based on various criteria (TLOG decrypted after hours = notify LP, myself etc).
Remember that collecting the events is only half the battle as you need to be able to analyze, interpret, and act on suspicious events.
We ended up hiring a QSA from a company called NCI to assist with the interpretation of the various PCI DSS requirements. This way if we end up failing certain requirements at our follow up audit, we can have a qualified QSA vouch for any compensating controls that we had to implement.
Good luck, you're going to need it!
