10.3.3 Audit log files, including those for external-facing technologies, are promptly backed up to a secure, central, internal log server(s) or other media that is difficult to modify.

Original requirement from PCI DSS v4.0.1

Defined Approach Requirements

Customized Approach Objective

Stored activity records are secured and preserved in a central location to prevent unauthorized modification.

Defined Approach Testing Procedures

10.3.3 Examine backup configurations or log files to verify that current audit log files, including those for external-facing technologies, are promptly backed up to a secure, central, internal log server(s) or other media that is difficult to modify.

Purpose

Promptly backing up the logs to a centralized log server or media that is difficult to alter keeps the logs protected, even if the system generating the logs becomes compromised.

Writing logs from external-facing technologies such as wireless, network security controls, DNS, and mail servers, reduces the risk of those logs being lost or altered.

Good Practice

Each entity determines the best way to back up log files, whether via one or more centralized log servers or other secure media. Logs may be written directly, offloaded, or copied from external systems to the secure internal system or media.

purpose

Protect audit logs from unauthorized modifications.

compliance strategies

Immutable storage
Access controls on log files

typical policies

Log Integrity Policy

common pitfalls

Logs can be altered
No access restrictions

type

Technical Control

difficulty

High

key risks

Log tampering

recommendations

Use WORM storage or cloud log immutability

Eligible SAQ

SAQ-A-EP
SAQ-C
SAQ-D MERCHANT
SAQ-D SERVICE PROVIDER