PCI DSS 10.2.1.4: Logging Authentication Mechanism Changes
PCI DSS 10.2.1.4 requires organizations to capture all modifications to identification and authentication mechanisms in audit logs. This critical control ensures you maintain visibility over identity infrastructure changes—a prime attack vector for unauthorized access. Without proper logging of these changes, you cannot detect credential compromise, unauthorized privilege escalation, or insider threats.
What this means
This control mandates that every change to your authentication systems—including password policy updates, multi-factor authentication modifications, access credential resets, and authentication method deployments—must be recorded in audit logs. These logs serve as your detective control, enabling forensic investigation of security incidents and demonstrating compliance during audits. The requirement covers both administrative changes and system-generated modifications across all authentication mechanisms.
How to comply
- 1.Implement centralized logging for all authentication infrastructure (identity providers, directory services, privileged access management systems)
- 2.Configure audit logging to capture: what changed, who changed it, when the change occurred, and what the previous value was
- 3.Ensure logs cannot be modified or deleted by system administrators (write-once storage or immutable log archives)
- 4.Retain authentication change logs for at least one year, with at least three months available for online review
- 5.Test log capture regularly to verify authentication changes are actually being logged before incidents occur
- 6.Establish alerting for critical authentication changes (policy modifications, account creation/deletion, credential resets)
Evidence auditors look for
- Audit log exports showing timestamp, user ID, authentication mechanism modified, previous value, new value, and change reason
- Centralized logging system configuration demonstrating capture of all authentication-related events
- Log retention policy documentation confirming one-year minimum retention with three-month online availability
- Test results from recent authentication change logging verification (e.g., admin policy update logged successfully)
- Change management records linked to audit log entries for all authentication system modifications
- Access controls on audit logs preventing administrator override or deletion of authentication change records
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically connects to your identity systems, aggregates authentication change events from multiple sources into a unified audit log, and generates compliance-ready reports showing all authentication mechanism modifications—eliminating manual log collection and reducing the time spent proving 10.2.1.4 compliance.
See how GRCWatch handles this control automatically
Start free trial