PCI DSS 10.2.1: Capture Individual User Access to Cardholder Data
Audit logging for cardholder data (CHD) access is a cornerstone of PCI DSS compliance and data protection. Control 10.2.1 requires organizations to capture every individual user interaction with sensitive payment card information—creating an immutable record for investigation, accountability, and audit purposes. Without proper access logging, you're flying blind when it comes to who touched your most critical data.
What this means
This control mandates that your organization implement and maintain audit logs that capture all individual user access events to cardholder data. This includes viewing, modifying, copying, or transmitting CHD in any form—whether in databases, files, applications, or storage systems. Each log entry must identify the specific user, timestamp, action taken, and relevant CHD elements accessed. These logs serve as the forensic backbone of your compliance program, enabling detection of unauthorized access, investigation of security incidents, and proof of accountability.
How to comply
- 1.Deploy audit logging at all systems and applications that store, process, or transmit cardholder data
- 2.Configure logging to capture individual user identification (usernames, IDs, or session identifiers)
- 3.Record precise timestamps for each access event in a standardized, synchronized time format
- 4.Log the specific action performed (read, write, delete, export, or query) on CHD elements
- 5.Capture details about the data accessed—specific fields, records, or data types involved
- 6.Implement centralized log collection and secure storage to prevent tampering or deletion
- 7.Establish log retention policies meeting PCI DSS minimum requirements (typically 1 year minimum)
- 8.Test and validate that logging captures all required data access events across your entire environment
- 9.Review logs regularly and establish alerts for suspicious or anomalous access patterns
Evidence auditors look for
- Audit logs from database management systems showing user queries against CHD tables with timestamps and user IDs
- Application access logs recording individual user interactions with payment card data fields
- System event logs documenting file access, copying, or transfer of CHD by named users
- Centralized SIEM (Security Information and Event Management) reports aggregating access events across systems
- Log configuration documentation proving audit logging is enabled on all CHD-handling systems
- Retention policy documentation showing logs are kept for required timeframes
- Sample audit trail exports demonstrating capture of user ID, timestamp, action type, and data elements accessed
- Change management records showing implementation and testing of audit logging controls
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates audit log collection from your databases, applications, and systems, normalizing access events into a unified compliance dashboard where you can instantly verify that individual user access to CHD is being captured and retained—eliminating manual log hunting and reducing audit prep time by weeks.
See how GRCWatch handles this control automatically
Start free trial