10.2.1.2 Audit logs capture all actions taken by any individual with administrative access, including any interactive use of application or system accounts.

Original requirement from PCI DSS v4.0.1

Defined Approach Requirements

Customized Approach Objective

Records of all actions performed by individuals with elevated privileges are captured.

Defined Approach Testing Procedures

10.2.1.2 Examine audit log configurations and log data to verify that all actions taken by any individual with administrative access, including any interactive use of application or system accounts, are logged.

Purpose

Accounts with increased access privileges, such as the "administrator" or "root" account, have the potential to significantly impact the security or operational functionality of a system. Without a log of the activities performed, an organization is cannot trace any issues resulting from an administrative mistake or misuse of privilege back to the specific action and account.

Definitions

The functions or activities considered to be administrative are beyond those performed by regular users as part of routine business functions.

Refer to Appendix G for the definition of "administrative access."

purpose

Log all actions taken by any individual with root or administrative privileges.

compliance strategies

Admin activity logging
Session recording

typical policies

Privileged Access Logging Policy

common pitfalls

Lack of admin session monitoring
Insufficient detail in logs

type

Technical Control

difficulty

High

key risks

Undetected privileged misuse

recommendations

Use PAM solutions (CyberArk, BeyondTrust)

Eligible SAQ

SAQ-A-EP
SAQ-C
SAQ-D MERCHANT
SAQ-D SERVICE PROVIDER