Frequently Asked Questions

< Back to search page

Does PCI DSS Requirements 10.2 and 10.3 mean that both database and application logging is required?

FAQ Response

The intent of the PCI DSS logging requirements is to provide a full record of who did what, where, when, and how, so it can be used for investigation in the event of unexpected or unauthorized activities.  A combination of operating system logging, database logging, and/or application logging may be implemented as appropriate to record the events defined in Requirement 10.2.

For example, if the operating system and/or installed applications are able and configured to log all individual access to cardholder data within a database, then configuring database logging in addition to these other logs may not be necessary.

May 2014
Article Number 1081

Related Articles

Does a QSA need to be onsite at the client’s premises for all aspects of a PCI DSS assessment?

If a merchant develops an application that runs on a consumer’s device (e.g. smartphone, tablet, or laptop) that is used to accept payment card data, what are the merchant’s obligations regarding PCI DSS and PA-DSS for that application?

What are acceptable formats for truncation of primary account numbers?

Can SAQ eligibility criteria be used for determining applicability of PCI DSS requirements for onsite assessments?

What is the role of acquirers and assessors in determining the applicability of PCI DSS requirements for a merchant’s PCI DSS assessment?