PCI DSS 10.5.1.2: Audit Log Integrity Protection
Audit logs are your compliance evidence trail—and they're a prime target for attackers trying to cover their tracks. PCI DSS 10.5.1.2 requires you to secure these logs to prevent unauthorized access, modification, or deletion. Without this protection, you cannot prove regulatory compliance or detect what happened during a breach.
What this means
This control mandates that all audit log files must be protected through technical and administrative safeguards. Logs must remain immutable and tamper-evident, ensuring that any attempt to alter or delete records is detectable. This includes logs generated across cardholder data environments (CDEs), payment systems, and supporting infrastructure.
How to comply
- 1.Implement centralized log aggregation using a dedicated, hardened logging server or SIEM platform
- 2.Enable write-once, read-many (WORM) storage or file immutability features where logs cannot be modified after creation
- 3.Restrict file permissions to read-only for authorized personnel; use role-based access control (RBAC)
- 4.Encrypt audit logs both in transit (TLS/SSL) and at rest (AES-256 or equivalent)
- 5.Enable log rotation and archival with retention policies matching PCI DSS requirements (minimum 1 year, 90 days online)
- 6.Configure log integrity monitoring and alerting for unauthorized access or deletion attempts
- 7.Regularly validate log completeness and integrity through hash verification or checksum testing
- 8.Document and test log backup procedures separate from production systems
Evidence auditors look for
- SIEM or log management system configuration showing immutability settings enabled
- File system permissions reports demonstrating restricted write access to audit log directories
- Encryption certificates and configuration documentation for logs in transit and at rest
- Log retention policy document aligned with PCI DSS timelines
- Audit logs of access attempts to the logging infrastructure itself
- Hash verification or integrity check reports from monthly log validation
- Backup procedures and restore test results showing successful recovery of audit logs
- Change logs showing who accessed, modified, or archived audit files and when
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates audit log collection, immutability enforcement, and integrity validation across your entire environment—eliminating manual log management and proving compliance readiness in real time.
See how GRCWatch handles this control automatically
Start free trial