PCI DSS 10.5.1: Audit Log Retention for 12 Months
PCI DSS 10.5.1 requires your organization to maintain audit logs for a full 12 months, keeping the most recent three months readily accessible for immediate analysis and investigation. This control is fundamental to detecting and responding to security incidents quickly, making it non-negotiable for any payment card processor.
What this means
This control mandates that all audit logs—records of user activities, system changes, and access attempts—must be retained for at least 12 months total. Critically, the most recent three months of logs must remain online and immediately available for review without retrieval delays. The remaining nine months may be archived offline or in cold storage, provided they can be retrieved within a reasonable timeframe if needed for investigations or compliance audits.
How to comply
- 1.Implement centralized log collection that captures all system and application activity across your environment
- 2.Configure your logging infrastructure to retain logs for a minimum of 12 months
- 3.Ensure the most recent 3 months of logs are stored on readily accessible, online systems
- 4.Archive logs older than 3 months to secure offline or cold storage with documented retrieval procedures
- 5.Establish and document log retention policies that specify storage locations, retention periods, and access controls
- 6.Test log retrieval processes quarterly to verify older archived logs can be recovered if needed
- 7.Implement automated alerts for log storage capacity to prevent accidental deletion or data loss
- 8.Restrict access to audit logs using role-based access controls and track who accesses them
Evidence auditors look for
- System administration logs showing login attempts, privilege escalations, and configuration changes
- Application logs capturing user transactions, authentication events, and failed access attempts
- Database logs including query execution, data modifications, and administrative actions
- Firewall and network device logs recording connection attempts, blocked traffic, and rule changes
- Screenshots or reports from your log management system showing 12-month retention and 3-month online availability
- Log archival schedule documentation detailing how logs transition from online to offline storage
- Access logs for the audit log system itself, proving who accessed the logs and when
- Disaster recovery test results confirming archived logs can be restored within acceptable timeframes
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates audit log collection, retention policies, and archival workflows so your logs are always compliant and immediately accessible without manual configuration or storage management headaches.
See how GRCWatch handles this control automatically
Start free trial