10.2 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

This requirement focuses on implementing audit logs that can effectively detect anomalies, suspicious activities, and support forensic analysis of security events. Proper logging mechanisms are essential for tracking user activities and identifying potential security incidents.

Sub-requirements

10.2.1: Audit logs are enabled and active for all system components and cardholder data.
10.2.1.1: Audit logs capture all individual user access to cardholder data.
10.2.1.2: Audit logs capture all actions taken by any individual with administrative access, including any interactive use of application or system accounts.
10.2.1.3: Audit logs capture all access to audit logs.
10.2.1.4: Audit logs capture all invalid logical access attempts.
10.2.1.5: Audit logs capture all changes to identification and authentication credentials
10.2.1.6: Audit logs capture all initialization, stopping, or pausing of the audit logs.
10.2.1.7: Audit logs capture all creation and deletion of system-level objects.
10.2.2: Audit logs record the following details for each auditable event:

10.2. Audit logs are implemented to reconstruct events.

Ensure that audit logs capture all necessary events to reconstruct user activities and detect potential security incidents.

https://WithPCI.com

Sub-requirements

Test Points

Moderate-High (3.6)

Implementation Difficulty

Control Types

Technical

Process

Technical: 9

Process: 1

Key Risks

Incomplete or missing audit logs

Inability to investigate incidents

Untraceable user actions

Frequently Asked Questions

Why are audit logs important?

They provide a record of user and system activity, enabling detection and investigation of security incidents.

What events must be logged?

All access to cardholder data, administrative actions, access to audit trails, invalid access attempts, and more.

How should audit logs be protected?

By restricting access, using secure storage, and monitoring for unauthorized changes.

How long should audit logs be retained?

At least 12 months, with at least three months immediately available for analysis.

What happens if audit logs are missing or incomplete?

It may be impossible to reconstruct events or investigate incidents, leading to compliance failures.

Common QSA Questions

Can you show your audit log configuration and samples?

Yes, we maintain configuration records and can provide recent log samples.

How do you ensure all required events are logged?

We use automated log management tools and regularly review log settings.

How are audit logs protected from unauthorized modification?

Through access controls, immutable storage, and regular monitoring.

Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy

Please enable JavaScript to view the comments powered by Disqus.Alternatively, you can view comments at our Disqus forum.