Frequently Asked Question

Does PCI DSS Requirements 10.2 and 10.3 mean that both database and application logging is required?

The intent of the PCI DSS logging requirements is to provide a full record of who did what, where, when, and how, so it can be used for investigation in the event of unexpected or unauthorized activities.  A combination of operating system logging, database logging, and/or application logging may be implemented as appropriate to record the events defined in Requirement 10.2.

For example, if the operating system and/or installed applications are able and configured to log all individual access to cardholder data within a database, then configuring database logging in addition to these other logs may not be necessary.
May 2014
Article Number: 1081