PCI DSS 10.2.1.3: Logging Invalid Logical Access Attempts
Invalid login attempts are a key indicator of unauthorized access attempts and potential security threats. PCI DSS 10.2.1.3 requires organizations to maintain detailed audit logs capturing every failed logical access attempt. This control helps detect brute-force attacks, credential stuffing, and suspicious activity patterns across your cardholder data environment.
What this means
This control requires your organization to implement and maintain comprehensive audit logging that captures all invalid logical access attempts. This includes failed login attempts across all systems that process, store, or transmit payment card data. The logs must record enough detail to identify who attempted access, what resource they tried to access, when the attempt occurred, and why it failed. These logs become critical forensic evidence during security incidents and compliance audits.
How to comply
- 1.Configure all systems and applications to log every failed authentication attempt with timestamps
- 2.Ensure logs capture the user ID or account name, source IP address, and resource access attempt details
- 3.Set appropriate logging retention periods to preserve invalid access attempt records (minimum 1 year)
- 4.Centralize logs in a Security Information and Event Management (SIEM) system or log aggregation platform
- 5.Implement automated alerting for repeated invalid access attempts from the same source
- 6.Regularly review invalid access logs for patterns indicating attack activity
- 7.Protect log files from unauthorized modification or deletion through access controls and integrity monitoring
- 8.Document your logging configuration and retention policy in your security procedures
Evidence auditors look for
- SIEM dashboard showing filtered invalid login attempts with source IP, timestamp, and failed credentials
- Application logs displaying authentication failures with account names and system timestamps
- Log retention policy documentation specifying minimum 1-year retention for failed access attempts
- Access control list (ACL) confirming read-only permissions on log files for authorized personnel only
- Alert configuration showing automated notifications triggered by repeated failed login attempts
- Compliance audit report documenting invalid access log review procedures and findings
- System configuration screenshots showing audit logging enabled on authentication systems
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically centralizes and analyzes invalid access logs across your entire environment, flagging suspicious attempt patterns and generating compliance-ready audit reports without manual log review.
See how GRCWatch handles this control automatically
Start free trial