Frequently Asked Question

Does PCI DSS require both database and application logging?

The intent of the PCI DSS logging requirements is to provide a complete record of who did what, where, when, and how, so it can be used for investigation in the event of unexpected or unauthorized activities. Therefore, a combination of operating system logging, database logging, and/or application logging may be implemented as appropriate to record the events defined in Requirement 10. For example, if the operating system and/or installed applications are able and configured to log all individual access to cardholder data within a database, then configuring database logging in addition to these other logs may not be necessary.

Last updated: December 2022
Originally published: April 2012
Article Number: 1081

Featured FAQ Articles