PCI Compliance and Audit Trail History
Now that you’ve implemented logging, what do you to them? PCI Requirement 10.7 asks that you retain audit trail history for at least one year, with a minimum of three months immediately available for analysis. A year is the recommended length of time because it may take a few months to notice a compromise. A year’s worth of audit trail history can be very helpful during analysis.
The PCI DSS guidance also states, “By having a minimum of three months of logs immediately available, an entity can quickly identify and minimize impact of a data breach. Storing logs in off-line locations could prevent them from being readily available, resulting in longer time frames to restore log data, perform analysis, and identify impacted systems or data.”
The assessment process for PCI Requirement 10.7 is pretty simple: examine policies and procedures and audit logs to verify that audit logs have been kept for at least one year.
There are two places within the PCI DSS that call out log retention. Back in PCI Requirement 5, it says that your antivirus system needs to be retaining logs in accordance with PCI Requirement 10.7. PCI Requirement 10.7 has a couple of requirements, one of which is that you retain the logs at least for one year regardless of how they’re retained. However, at least three months of those logs need to be immediately available. From an assessment perspective, we’re going to ask you to roll back your log server or your logs or pull backs the logs that you might have on tape backup, and we’re going to look to see that you have at least one year’s worth of logs stored and at least three months made available for review.