GRCWatch
Sign inStart free trial

PCI DSS 10.4.2: Review Other System Component Logs Periodically

PCI DSS 10.4.2 requires organizations to review logs from system components not covered by daily monitoring on a periodic basis. This control bridges the gap between continuous monitoring of critical systems and comprehensive audit coverage, ensuring no suspicious activity goes undetected across your entire environment. Neglecting periodic reviews of secondary systems creates blind spots that threaten data security and compliance standing.

What this means

While PCI DSS 10.4.1 mandates daily review of critical system component logs, this control extends oversight to less critical infrastructure components. Organizations must establish and execute a defined review schedule—weekly, monthly, or quarterly depending on risk assessment—for logs generated by systems not included in daily monitoring. This includes network devices, secondary servers, database instances, and other components that may contain security-relevant events. The periodic review must be documented, evidencing that reviews occurred and identifying any notable findings.

How to comply

  1. 1.Identify and inventory all system components not covered by daily log review (e.g., non-critical servers, network appliances, backup systems)
  2. 2.Define a periodic review schedule based on risk assessment and business requirements
  3. 3.Establish clear review procedures including what log types to examine and what constitutes a reportable event
  4. 4.Assign ownership and accountability for conducting periodic reviews
  5. 5.Document each review occurrence with dates, reviewers, and findings
  6. 6.Investigate and respond to any security events or anomalies discovered during reviews
  7. 7.Retain evidence of reviews for audit and compliance verification

Evidence auditors look for

  • Documented log review schedules showing frequency (weekly, monthly, or quarterly) for each non-critical component
  • Review logs or sign-off sheets confirming completion of periodic reviews with dates and reviewer names
  • Incident reports or investigation records resulting from anomalies found during periodic reviews
  • System logs from secondary components with clear retention and archival policies
  • Policy documentation defining which components require daily vs. periodic review
  • Evidence of role assignments and responsibilities for conducting periodic reviews

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates the scheduling, execution, and documentation of periodic log reviews across your non-critical systems, reducing manual tracking overhead and generating audit-ready evidence automatically.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 10.4.1 — Review Critical System Component Logs DailyPCI DSS 10.1 — Implement Automated Audit TrailsPCI DSS 10.3 — Protect Audit Trail History from AlterationPCI DSS 10.7 — Retain Audit Trail History for at Least One Year