Frequently Asked Question

PCI DSS Requirement 10.4.1 defines several events and system types that require daily log reviews, but Requirement 10.4.2 allows the organization to determine the log review frequency for all other in-scope events and systems that do not fall under Requirement 10.4.1.

For some environments, all in-scope systems could fall under the system categories defined in Requirement 10.4.1, meaning that daily log reviews are required for all in-scope systems. In other environments, there may be systems that are considered in scope, but which do not meet the bullets specified in Requirement 10.4.1. Some examples could be stock-control or inventory-control systems, print servers, or certain types of workstations.

Requirement 10.4.2.1 specifies that the frequency of periodic log reviews for all other system components (not defined in Requirement 10.4.1) is defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1.