Prevent Unauthorized Modifications
PCI Requirement 10.5.3 asks organizations to promptly back up audit trail files to a centralized log server or media that is difficult to alter. The purpose of PCI Requirement 10.5.3 is to support PCI Requirement 10.5 and prevent unauthorized modifications to audit trail files. The PCI DSS guidance also explains, “Promptly backing up the logs to a centralized log server or media that is difficult to alter keeps the logs protected even if the system generating the logs becomes compromised.”
PCI Requirement 10.5.3 says that you should promptly back up logs to a central logging server or other media that’s difficult to alter. What’s interesting about this is what is meant by “promptly.” From an assessment perspective, we’re looking to make sure that you’re making up those logs as close to real-time as possible and you are backing those up to a central logging server or other media that is difficult to alter. This might mean that you are backing them up onto tape or that you may be writing them to a worm drive or CD drive. The purpose in the intent behind these is to prevent modification of those logs.