Session Recording for Compliance: SOX, HIPAA, and PCI Mapped to Capabilities
DataDike Security Research
PAM Research & Compliance
Three regulations cite privileged session monitoring almost identically, and in all three the auditor asks for the same thing in front of the workstation: pick a session, play it back, show me the commands. The features that satisfy that request are not the features in the vendor brochure. They are specific, narrow, and often missing from half-implemented deployments.
What "session recording" actually has to capture
A complete session recording for compliance is the union of five streams:
- Keystroke and command history with timestamps — the input stream the operator produced.
- Screen capture with sub-second resolution — the visual output the system produced.
- File-transfer manifest with hashes — every file moved in or out of the session.
- Clipboard-operation log — every paste, especially of credentials or data.
- Session metadata — who, when, from where, to what, with what justification.
Recordings that capture three of the five are common. Recordings that capture all five with timeline-aligned playback are what auditors actually want.
SOX (Sarbanes-Oxley) Section 404 / SSAE 18 SOC 1
SOX itself does not specify PAM controls; the implementation framework auditors apply does. For SOC 1 (financial reporting), the relevant controls are around segregation of duties and change management on financial systems. The recording requirement, in practice, is: any administrative session on a system that processes financial data must be reconstructable.
| Audit expectation | Capability |
|---|---|
| Reconstruct any admin session on financial systems | Full keystroke + screen recording |
| Prove segregation of duties at session level | Approval chain in session metadata |
| Demonstrate that recordings are tamper-proof | Hash-chained or WORM-stored recordings |
| Produce a session for an arbitrary date | Searchable index with retention ≥ 7 years |
HIPAA — Security Rule §164.312
HIPAA's technical safeguards include audit controls (§164.312(b)) and integrity (§164.312(c)). For ePHI-bearing systems, every access by a workforce member with administrative privileges is auditable. The OCR investigations we have seen lean heavily on whether the covered entity can produce a specific session on demand, not just a log of session start/stop.
| HIPAA citation | Capability |
|---|---|
| §164.312(b) — audit controls | Session recording with command capture |
| §164.312(c)(1) — integrity | Hash-chained audit log + immutable storage |
| §164.312(a)(2)(i) — unique user IDs | Per-session check-out, no shared accounts |
| §164.312(e)(1) — transmission security | TLS to all targets + encrypted session storage |
PCI-DSS 4.0 — Requirements 10.x and 7.x
PCI-DSS 4.0 is more specific than SOX or HIPAA about what the recording must contain. Clauses 10.2.1 and 10.2.2 demand logs of all individual user access and all administrative actions. The auditor will pick a date, ask you to reconstruct, and dock the audit if the reconstruction is incomplete.
| PCI clause | What it demands | Recording feature |
|---|---|---|
| 10.2.1 | All individual user accesses to cardholder data | Per-session attribution + retention |
| 10.2.2 | All actions taken by users with admin privileges | Keystroke + command capture |
| 10.5.2 | Audit logs protected against modification | Hash-chained log + WORM storage |
| 10.7 | Audit logs retained ≥ 12 months, ≥ 3 months immediately available | Tiered retention with online + cold storage |
Retention realities
Session recordings are large. A single hour of full-fidelity RDP is around 200–500 MB; SSH is far smaller (under 1 MB per hour typically). For a 1,000-session-per-day estate, you are looking at tens of TB per year. The retention strategy that survives audit is tiered: full recording online for 90 days, compressed recording on cold storage to the 7-year mark (or beyond, for tax-related SOX scope).
Common audit failure
The audit fails not because the recording is missing but because the playback breaks at year 4. Test cold-storage retrieval annually, not at audit time.
Where DataDike fits
DataDike captures all five streams (keystroke, screen, file-transfer manifest with hashes, clipboard, and metadata) for every session, with timeline-aligned playback in a single pane. Recordings are hash-chained at write time and can be exported to WORM storage on a configurable cadence. The retention model supports online-90/cold-N years, and cold retrieval is tested by built-in restore drills you can schedule against the SOC team.
