PCI Requirement 10.5.1 – Limit Viewing of Audit Trails to Those with a Job-Related Need

by Randy Bartels / May 1st, 2018

Policy of Least Privileges

Protection of audit trails requires strong access controls; once again, the policy of least privileges comes into play. Audit trails contain sensitive information that only some members of an organization should have access to. This is why PCI Requirement 10.5.1 requires organizations to limit viewing of audit trails to those with a job-related need.

It’s important to note that the PCI DSS doesn’t state that only administrators or those with elevated privileges can view audit trails; any individuals who has a business need should have access to audit trails. During an assessment, an assessor will want to see that your organization implements controls to limit viewing of audit trails to those with a job-related need.

This begins with PCI Requirement 10.5.1, and once again, comes back to that policy of least privileges: if one doesn’t need access, they shouldn’t be given access. From time to time, there’s a lot of sensitive information that might reside within that log material, so PCI Requirement 10.5.1 says that only those individuals that have job-related needs should be able to view those logs. Notice that PCI Requirement 10.5.1 does not say that only administrators can view these logs, it’s any individual that would have a business need to view it can view the logs; however, all other individuals should be prohibited from viewing the logs.