The intent of the logging requirement is to provide a full record of who did what, when, and how, so that it can be used for investigation in the event of unexpected or unauthorized activities. In addition to operating system logging, either database logging or application logging (or a combination of both) should be implemented to show access to cardholder data. Requirement 10.2.1 specifically says to log ?all individual access to cardholder data.? If your applications log all individuals? access to the database, full database logging in addition to application logging may not be necessary. We suggest you contact a Qualified Security Assessor (QSA) for help with logging as they will be able to make recommendations based on an understanding of your actual environment. Our list of QSAs can be found at: https://www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdf