FAQ #1081 Diff

Does the logging required at PCI DSS Requirements 10.2 and 10.3 mean we have to enable database logging as well?

Earlier Version
2009-05-13T00:00:00+00:00

Later Version
2014-05-28T00:00:00+00:00

Removed

Added

The intent of the PCI DSS logging ~~requirement~~requirements is to provide a full record of who did what, where, when, and how, so ~~that~~ it can be used for investigation in the event of unexpected or unauthorized activities. InA ~~addition~~combination toof operating system logging, ~~either~~ database ~~logging~~logging, orand/or application logging ~~(or a combination of both) should~~may be implemented toas ~~show access~~appropriate to ~~cardholder~~record ~~data.~~the events defined in Requirement ~~10.2.1~~10.2.

For ~~specifically~~example, ~~says~~if the operating system and/or installed applications are able and configured to log ~~?all~~all individual access to cardholder ~~data.?~~data Ifwithin ~~your applications log all individuals? access to the~~a database, ~~full~~then configuring database logging in addition to ~~application~~these ~~logging~~other logs may not be necessary. We suggest you contact a Qualified Security Assessor (QSA) for help with logging as they will be able to make recommendations based on an understanding of your actual environment. Our list of QSAs can be found at: https://www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdf

Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.