PCI DSS v4.0 Requirement 10 mandates logging of all access to cardholder data environments, protection of audit trails from tampering, and regular log review and analysis.
PCI DSS is the payment card industry standard developed by the PCI Security Standards Council (Visa, Mastercard, Amex, Discover, JCB). Version 4.0 became mandatory on March 31, 2024, replacing v3.2.1. Requirement 10 ("Log and Monitor All Access to System Components and Cardholder Data") is one of the most prescriptive logging requirements in any compliance framework. PCI DSS specifies exactly what events must be logged, what data each log entry must contain, how logs must be protected, and how frequently they must be reviewed.
PCI DSS v4.0 became mandatory on March 31, 2024
Requirement 10 is one of the 12 core PCI DSS requirements and covers all logging obligations
Non-compliance can result in fines of $5,000-$100,000 per month from payment brands
PCI DSS explicitly requires log integrity protection (Requirement 10.5)
Retention period: Minimum 12 months, with 3 months immediately available (Requirement 10.7)
Implement automated audit trails for all system components to reconstruct the following events: individual user access to cardholder data, all actions taken by any individual with root or admin privileges, access to all audit trails, invalid logical access attempts, use of and changes to identification and authentication mechanisms, and initialization, stopping, or pausing of audit logs.
How AuditKit helps: Comprehensive event capture with structured schemas covering all PCI DSS required event types
Record at least the following for each event: user identification, type of event, date and time, success or failure indication, origination of event, and identity or name of affected data, component, or resource.
How AuditKit helps: Structured event schemas capture all required fields with extensible metadata
Secure audit trails so they cannot be altered. Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts.
How AuditKit helps: SHA-256 hash chains and Merkle tree proofs provide cryptographic tamper detection
Retain audit trail history for at least 12 months, with at least the most recent three months immediately available for analysis.
How AuditKit helps: Configurable retention with hot/warm/cold storage tiers
PCI DSS v4.0 Requirement 10 mandates logging all access to cardholder data, admin actions, authentication events, and access control changes. Logs must include user ID, event type, date/time, success/failure, source, and affected resource. Logs must be tamper-proof (10.5) and retained for 12 months (10.7). AuditKit provides all of these capabilities with cryptographic integrity.
PCI DSS Requirement 10.5 requires that audit trails cannot be altered. AuditKit uses SHA-256 hash chains where each log entry includes a hash of the previous entry, creating a cryptographic chain. Merkle tree proofs allow any entry to be verified without scanning the entire log. This exceeds the file-integrity monitoring that PCI DSS 10.5 requires.
SOC 2 requires organizations to maintain comprehensive audit logs that track user activity, system changes, and security events across all trust services criteria.
SOX requires publicly traded companies to maintain audit trails for financial reporting systems, including logging of access to financial data, changes to financial records, and internal controls over financial reporting.
DORA requires EU financial entities and their ICT service providers to implement comprehensive logging for ICT-related incidents, change management, and access control.
Add AuditKit to your stack with code examples for Node.js, Python, Go, and more.
See how AuditKit serves fintech, healthcare, edtech, govtech, and more.
See how AuditKit compares to the market leader on features, pricing, and evidence integrity.
Tamper-proof evidence collection and compliance automation from $99/mo.
Tamper-proof audit logging that satisfies PCI DSS requirements. Start from $99/mo with no lock-in.