PCI Requirement 10.3.4 – Success or Failure Indication
Successful or Not?
According to PCI Requirement 10.3.4, every log that’s generated must contain a success or failure indication to demonstrate whether the action that was taken was successful or not. Most applications are pretty good about logging the failed attempts; however, we find that from an assessment perspective, many organizations struggle with the successful events.
Through interviews and observation, auditors will try to verify that a success or failure indication is included in log entries.
Each log that’s generated must contain whether the action that was taken was successful or not. Most applications, or most operating systems by default, are pretty good about logging the failed attempts. However, we find that from an assessment perspective, most organizations struggle with the successful events. Whether the event was successful or not, it needs to be logged as part of the event that took place.