GRCWatch
Sign inStart free trial

PCI DSS 10.2.1.2: Log All Audit Log Access

Audit logs are only as trustworthy as your ability to detect tampering. PCI DSS 10.2.1.2 requires you to log every single access to your audit logs themselves—creating an unbreakable chain of custody. Without this detective control, attackers could cover their tracks by modifying or deleting evidence of their activities.

What this means

This control mandates that your system automatically records who accessed audit logs, when they accessed them, and what actions they performed. This creates a complete audit trail of audit log activity, ensuring that any unauthorized access or modifications to audit records are immediately detectable. It's a fundamental anti-tampering mechanism that prevents attackers from erasing evidence of their presence.

How to comply

  1. 1.Enable logging functionality for all audit log access events at the application and system level
  2. 2.Capture user identity, timestamp, access type (read, modify, delete), and outcome for each audit log access
  3. 3.Configure systems to write these access logs to a centralized, protected repository separate from production logs
  4. 4.Implement log protection mechanisms to prevent modification or deletion of audit log access records
  5. 5.Set retention periods that meet PCI DSS requirements (minimum 1 year, with 3 months readily available)
  6. 6.Test logging functionality quarterly to verify all audit log access events are being captured accurately

Evidence auditors look for

  • Database transaction logs showing user access to audit log tables with timestamps and query details
  • System access logs recording login attempts to log management platforms or SIEM consoles
  • Application-level audit trail showing user downloads, exports, or views of audit reports
  • Syslog or centralized logging records demonstrating all access events to audit storage locations
  • Change management records showing modifications made to audit logs with user attribution
  • Monitoring alerts triggered when unauthorized users attempt to access audit log systems

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automatically centralizes and monitors all audit log access events across your systems, alerting you instantly to unauthorized access attempts and maintaining tamper-proof records that demonstrate PCI DSS 10.2.1.2 compliance.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 10.2.1.1PCI DSS 10.2.2PCI DSS 10.2.3PCI DSS 10.3PCI DSS 10.4