10.2.1 Audit logs are enabled and active for all system components and cardholder data.
Original requirement from PCI DSS v4.0.1
This requirement focuses on ensuring that audit logging is properly implemented across all system components that store, process, or transmit cardholder data. Effective audit logging is essential for security monitoring, incident response, and forensic investigations.
Sub-requirements
- 10.2.1.1 Audit logs capture all individual user accesses to cardholder data.
- 10.2.1.2 Audit logs capture all actions taken by any individual with administrative access, including any interactive use of application or system accounts.
- 10.2.1.3 Audit logs capture all access to audit logs.
- 10.2.1.4 Audit logs capture all invalid logical access attempts.
- 10.2.1.5 Audit logs capture all changes to identification and authentication credentials.
- 10.2.1.6 Audit logs capture all initialization, stopping, or pausing of the audit logs.
- 10.2.1.7 Audit logs capture all creation and deletion of system-level objects.
purpose
Implement automated audit logs for all system components to reconstruct events.
compliance strategies
- Enable audit logging on all systems
- Centralize logs using SIEM
typical policies
- Audit Logging Standard
common pitfalls
- Logging not enabled on all systems
- Log sources missed
type
Technical Control
difficulty
Moderate
key risks
- Inability to investigate incidents
recommendations
- Deploy SIEM (Splunk, QRadar, LogRhythm)
Eligible SAQ
- SAQ-A-EP
- SAQ-D MERCHANT
- SAQ-D SERVICE PROVIDER
Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy