PCI DSS 10.2.2: Include Required Detail in Audit Log Entries
Audit logs are your compliance backbone—but only if they contain the right information. PCI DSS 10.2.2 mandates that every logged event includes user identification, event type, date/time, success/failure status, event origin, and affected data or resource. Without this detail, you can't prove what happened or who did it during an audit or incident investigation.
What this means
This control requires that all audit log entries be sufficiently detailed to reconstruct and monitor cardholder data activities. Each log must document: who performed the action (user ID), what action was taken (event type), when it occurred (precise date and time), whether it succeeded or failed (outcome status), where the action originated (source IP or terminal), and what data or system was affected. This granularity enables effective monitoring, compliance validation, and forensic investigation.
How to comply
- 1.Configure logging on all systems that access or process cardholder data to capture user identification for every action
- 2.Record the event type for each logged action (login, data access, configuration change, etc.)
- 3.Implement synchronized system clocks and log all events with precise date and time stamps
- 4.Capture success and failure indicators for all security events and access attempts
- 5.Log the source or origin of each event (IP address, terminal ID, session identifier)
- 6.Document the affected data or resource involved in each logged action
- 7.Retain audit logs for a minimum of one year and maintain online access for the most recent 90 days
- 8.Review and test log capture settings quarterly to ensure all required fields are being collected
Evidence auditors look for
- Sample audit log showing user ID, timestamp, event type (login), result (success), source IP, and accessed resource
- System configuration screenshots demonstrating audit logging is enabled for cardholder data environments
- Log retention policy documentation showing minimum one-year retention and 90-day online access requirements
- Failed login attempt logs capturing user, timestamp, failure reason, and source IP
- Database access logs recording user ID, timestamp, query type, success/failure, and affected table or record
- File access logs showing user, timestamp, file operation, outcome, and file path
- System clock synchronization documentation confirming consistent timestamps across all systems
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically collects, normalizes, and stores audit logs from your infrastructure with all required fields—user ID, event type, timestamp, outcome, origin, and affected resource—eliminating manual log review and ensuring consistent PCI DSS 10.2.2 compliance.
See how GRCWatch handles this control automatically
Start free trial