FAQ #1304 Diff
What devices does PCI DSS Requirement 10.6.2 apply to?
Earlier Version
Later Version
Removed
Added
PCI DSS Requirement 10.4.1 defines a number ofseveral events and system types that require daily log reviews, but Requirement 10.4.2 allows the organization to determine the log review frequency for all other in-scope events and allows the organization to determine the log review frequency for all other in-scope events and systems that do not fall into those categories.under Requirement 10.4.1.
For some environments,itall in-scope systems could fall under the system categories defined in Requirement 10.4.1, meaning that daily log reviews are required for all in-scope systems. In other environments, there may be systems that are considered in scope, but which do not meet the bullets specified in Requirement 10.4.1. Some examples could be stock-control or inventory-control systems, print servers, or certain types of workstations.
Requirement 10.4.2.1 specifies that the frequency of periodic log reviews for all other system components (not defined in Requirement 10.4.1) ispossible that all in-scope systems fall under the system categories defined in Requirement 10.6.1, meaning that daily log reviews are required for all in-scope systems. In other environments, there may be many different types of system that are considered in scope, butthe entity’s targeted risk analysis, which are not critical systems and neither store, process or transmit CHD nor provide security servicesis performed according to the CDE. Some possible examples could be stock-control or inventory-control systems, print servers (assuming there is no printing of CHD) or certain types of workstations. For these events or systems, the entity, as part of its annual risk assessment process, is expected to define the frequency for log reviews based on the risk to its specific environment.all elements specified in Requirement 12.3.1.
For some environments,
Requirement 10.4.2.1 specifies that the frequency of periodic log reviews for all other system components (not defined in Requirement 10.4.1) is
Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.