GRCWatch
Sign inStart free trial

PCI DSS 5.3.4: Enable and Retain Anti-Malware Audit Logs

Anti-malware audit logs are critical evidence that your organization is actively monitoring and defending against malicious software. PCI DSS 5.3.4 requires these logs be enabled and retained according to Requirement 10.5.1 standards. Without proper logging, you lose visibility into threats and fail a core compliance mandate.

What this means

This control mandates that all anti-malware solutions deployed across your environment must have audit logging enabled. These logs must capture detection events, remediation actions, and system activities. Retention periods follow PCI DSS Requirement 10.5.1, which typically requires logs be kept for at least one year with at least three months readily available online.

How to comply

  1. 1.Enable logging in all anti-malware solutions (endpoints, servers, network appliances)
  2. 2.Configure logs to capture malware detection events, quarantine actions, and remediation attempts
  3. 3.Set retention periods to match Requirement 10.5.1 minimums (1 year total, 3 months online)
  4. 4.Forward logs to a centralized logging system for aggregation and monitoring
  5. 5.Test log collection to verify data flows and completeness
  6. 6.Document logging configuration and retention policies in your anti-malware procedures

Evidence auditors look for

  • Anti-malware software configuration screenshots showing logging enabled
  • Sample log file exports demonstrating captured detection and remediation events
  • Log retention policy documentation specifying retention duration
  • Centralized SIEM or log management system configuration and log ingestion records
  • Change management records showing when logging was enabled
  • Quarterly log storage verification reports confirming retention compliance

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automatically maps anti-malware logging configurations across all your endpoints, validates retention compliance against PCI DSS 10.5.1 timelines, and generates audit-ready evidence dashboards—eliminating manual log verification.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 10.5.1 - Audit Log Retention RequirementsPCI DSS 5.3.1 - Anti-Malware ImplementationPCI DSS 5.3.2 - Anti-Malware UpdatesPCI DSS 6.3.2 - Log Monitoring and Alerting