PCI DSS – Requirement 10 – Track and Monitor All Access to Network Resources and Cardholder Data •

PCI DSS – Requirement 10 – Track and Monitor All Access to Network Resources and Cardholder Data

See how ISMS.online can help your business

See it in action
By Max Edwards | Updated 8 February 2024

PCI DSS Requirement 10 mandates the tracking and monitoring of all access to network resources and cardholder data, ensuring that all interactions are logged and auditable. This requirement is fundamental in identifying and responding to security incidents promptly, thereby enhancing the overall security posture and accountability within the cardholder data environment.

Jump to topic

What Is PCI DSS, Requirement 10?

When it comes to protecting cardholder data within the payment ecosystem, PCI DSS Requirement 10 is your organisation’s frontline defence. This requirement is designed to ensure that all access to system components and cardholder data is logged and monitored. By doing so, it helps to prevent, detect, and minimise the risk of data compromise.

The Consequences of Non-Adherence

Failing to comply with the secure payment standards set by PCI DSS, particularly Requirement 10, can lead to severe implications. Non-adherence may result in hefty fines, loss of customer trust, and potential long-term damage to your business reputation. It’s not just about regulatory compliance; it’s about safeguarding your organisation’s integrity.

Mandates for Monitoring Network Resources

Requirement 10 explicitly mandates the monitoring of network resources to track and scrutinise all access to cardholder data. This includes maintaining a vigilant watch over user activities, ensuring that each access point is logged, and anomalies are promptly addressed.

ISMS.online: Your Partner in Compliance

At ISMS.online, we understand the complexities of PCI DSS compliance. Our platform is designed to facilitate your adherence to Requirement 10 by providing a structured environment for monitoring network resources, managing audit trails, and ensuring that your compliance efforts are as streamlined as possible. With our tools and expertise, you can focus on your core business, confident in the knowledge that your payment security measures are robust and compliant.

Book a demo

The Role of PCI SSC in Requirement 10

The Payment Card Industry Security Standards Council (PCI SSC) is the authoritative body that mandates compliance with the PCI Data Security Standard (DSS), including Requirement 10. As the custodian of these standards, the PCI SSC’s authority extends to defining the protocols for securing cardholder data and ensuring that all entities handling this data adhere to the prescribed security measures.

Annual Validation of Compliance

Each year, organisations involved in processing, storing, or transmitting cardholder data must validate their compliance with PCI DSS. This process involves a thorough review of security practices and an assessment of adherence to the requirements set forth by the PCI SSC. For Requirement 10, this means verifying that all access to system components and cardholder data is appropriately logged and monitored.

Key Elements of a PCI SSC Audit

During a PCI SSC audit, particular attention is paid to how well an organisation implements and maintains the logging and monitoring controls required by Requirement 10. The audit assesses the effectiveness of mechanisms for tracking user activities, the protection of audit trails from unauthorised alterations, and the regular review of logs for any anomalies or suspicious activities.

Streamlining Compliance with ISMS.online

At ISMS.online, we understand the complexities of preparing for PCI SSC validation. Our platform is designed to simplify this process by providing you with the tools and frameworks necessary to effectively manage your compliance efforts. With our services, you can ensure that your organisation’s practices are aligned with Requirement 10 and other PCI DSS requirements, making the annual validation process more efficient and less daunting.


Get an 81% headstart

We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.

Book a demo

Consequences of Non-Compliance with Requirement 10

Non-compliance with PCI DSS Requirement 10 can lead to severe penalties and lasting damage to your organisation’s reputation. It is crucial to recognise the potential outcomes of failing to log and monitor access to system components and cardholder data adequately.

Fines and Penalties for Non-Compliance

If your organisation does not comply with Requirement 10, you could face substantial fines from payment card brands and acquiring banks. These fines vary depending on the volume of transactions, the duration of non-compliance, and the severity of the breach. They can range from a few thousand to millions of dollars, imposing a significant financial burden on your business.

Impact on Customer Trust and Business Reputation

Trust is the cornerstone of customer relationships, and non-compliance can erode this trust rapidly. A breach or non-compliance incident can lead to a loss of customer confidence, negatively affecting your brand and potentially leading to a loss of business. The public nature of such incidents can have long-term implications for customer loyalty and acquisition.

Long-Term Repercussions of Non-Compliance

Beyond immediate fines and trust issues, non-compliance with PCI DSS can result in increased scrutiny from regulators and payment industry partners. It may lead to higher compliance costs in the future, as well as legal liabilities if customer data is compromised.

Mitigating Risks with ISMS.online

At ISMS.online, we provide a comprehensive platform to help you maintain continuous compliance with PCI DSS Requirement 10. Our tools and services are designed to streamline the process of logging and monitoring access, ensuring that you meet the standard’s rigorous requirements and reduce the risk of non-compliance. With our support, you can safeguard your organisation against the consequences of failing to protect cardholder data.


Role of QSAs in Validating PCI DSS Requirement 10

Qualified Security Assessors (QSAs) play a pivotal role in ensuring that organisations comply with PCI DSS Requirement 10. Their expertise is critical in evaluating the effectiveness of log and monitoring systems designed to safeguard cardholder data.

Assessing Log and Monitoring Controls

QSAs conduct comprehensive assessments to verify that all access to system components and cardholder data is logged and monitored as mandated by Requirement 10. They examine the mechanisms in place for tracking user activities, the protection of audit trails, and the procedures for regular log reviews to detect any unauthorised or suspicious activity.

QSA Qualifications for Effective Compliance Verification

To effectively verify compliance, QSAs must possess a deep understanding of PCI DSS standards and the technical acumen to evaluate complex security systems. They should have a proven track record of performing rigorous security assessments and the ability to provide actionable recommendations for enhancing data security measures.

Coordinating with QSAs Through ISMS.online

At ISMS.online, we recognise the importance of a smooth compliance verification process. Our platform is designed to facilitate your coordination with QSAs, providing a centralised location for all your compliance documentation and evidence. By leveraging our tools, you can ensure that your organisation’s compliance efforts are well-documented, easily accessible, and aligned with the stringent requirements of PCI DSS Requirement 10.


Compliance doesn't have to be complicated.

We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.

Book a demo

PCI DSS Requirement 10 and Secure Audit Trails

PCI DSS Requirement 10 is pivotal in safeguarding cardholder data by ensuring that all access to system components is logged and scrutinised. Let’s delve into the specifics of how this requirement fortifies audit trails and the role of ISMS.online in streamlining compliance.

Monitoring and Protecting Audit Trails

Requirement 10 mandates the continuous monitoring and protection of audit trails to prevent unauthorised access and alterations. This includes implementing robust mechanisms to log all user activities, especially those involving access to cardholder data and system components.

Conducting Regular Log Reviews

Organisations are required to perform regular reviews of logs to identify and investigate anomalies or suspicious activities. These reviews are critical for early detection of potential security incidents and for maintaining the integrity of the payment ecosystem.

Retaining Audit History

Retaining an audit history is essential for security fault detection and forensic analysis. Requirement 10 specifies the need to preserve logs for a minimum period, ensuring that historical data is available for investigation in the event of a security breach.

ISMS.online and Policy Dissemination

Our platform, ISMS.online, provides comprehensive features to support your compliance with Requirement 10. We offer tools for documenting and disseminating monitoring policies, ensuring that your audit trails are secure and that log review processes are efficiently managed. With ISMS.online, you can confidently navigate the complexities of PCI DSS Requirement 10, maintaining a secure and compliant payment environment.


Requirement 10’s Sub-Requirements for User Access Logging

PCI DSS Requirement 10 establishes stringent sub-requirements for user access logging to ensure that every action on your system is accounted for. Understanding these sub-requirements is essential for maintaining a secure payment card environment.

Individual User Access Logging and Administrative Actions

Requirement 10 mandates that all individual user accesses to system components are logged. This includes each instance of access to cardholder data and administrative actions. By doing so, it creates an auditable trail that can be used to trace any action back to a specific user, which is crucial for both accountability and forensic analysis in the event of a security incident.

Protocols for Audit Trail Protection

To protect the integrity of audit trails, Requirement 10 specifies protocols for safeguarding against unauthorised access and manipulation. This includes implementing strict access controls and monitoring mechanisms to detect and alert on invalid access attempts.

The Importance of Time Synchronisation

Accurate time synchronisation across all system components is critical for maintaining log integrity. It ensures that events are logged in a consistent chronological order, which is vital for investigating and understanding the sequence of events during a security incident.


Manage all your compliance in one place

ISMS.online supports over 100 standards
and regulations, giving you a single
platform for all your compliance needs.

Book a demo

Integrating Requirement 10 with Other PCI DSS Controls

Understanding the interplay between PCI DSS Requirement 10 and other key controls is essential for a comprehensive security strategy. Let’s explore how these integrations bolster your overall compliance efforts.

Physical Access Restrictions and Security Testing

Requirement 10 does not operate in isolation; it complements physical access restrictions outlined in Requirement 9 and the regular security testing mandated by Requirement 11. Together, they form a triad that secures both the digital and physical realms of your payment card environment. By monitoring and logging digital access while controlling physical entry and regularly testing security systems, you create a robust defence against data breaches.

Holistic Approach to PCI DSS Compliance

For a holistic approach to PCI DSS compliance, it’s imperative to view Requirement 10 as part of an interconnected framework. This means aligning it with other control systems, such as incident response plans and network security protocols, to ensure a unified and effective security posture.

ISMS.online – An Integrated Management System

At ISMS.online, we provide an integrated management system that simplifies the complexity of adhering to multiple PCI DSS requirements. Our platform enables you to manage the intricacies of Requirement 10 alongside other PCI DSS controls, ensuring that your compliance efforts are cohesive and streamlined. With our tools and guidance, you can confidently navigate the landscape of PCI DSS requirements, ensuring that every aspect of your payment card security is addressed.


Further Reading

Achieving Maturity in Log Management

In the framework of PCI DSS compliance, a mature log management system is not just about collecting datait’s about leveraging that data for enhanced security and operational efficiency.

The Hallmarks of a Mature Log Management System

A mature log management system under PCI DSS is characterised by its ability to not only collect and store logs but also to analyse and utilise them for proactive threat detection and response. It involves sophisticated processes for monitoring network resources and cardholder data access, ensuring that all actions are recorded and scrutinised for any irregularities.

Optimising Log Management for PCI DSS Compliance

To optimise your log management in line with Requirement 10, it’s essential to implement a system that automates the collection and analysis of log data. This system should be capable of alerting you to potential security incidents, providing the necessary insights to respond swiftly and effectively.

Quantitative Management and Control Effectiveness

Quantitative management plays a pivotal role in sustainable control effectiveness by allowing you to measure and analyse log data. This data-driven approach enables you to make informed decisions about security policies and procedures, ensuring that your controls are both effective and efficient.


Identity and Access Management Tools for Compliance

For the purpose of PCI DSS Requirement 10, identity and access management (IAM) tools are not just beneficial; they are essential for ensuring that access to system components and cardholder data is securely managed.

Active Directory and M365: Pillars of Requirement 10 Compliance

Active Directory (AD) and Microsoft 365 (M365) are foundational tools that support compliance with Requirement 10. AD helps you manage user permissions, ensuring that only authorised individuals have access to sensitive data. M365 complements this by providing a suite of productivity tools that, when properly configured, adhere to the stringent security measures required by PCI DSS.

The Critical Role of MFA and SSO

Multi-Factor Authentication (MFA) and Single Sign-On (SSO) are critical in fortifying your security posture. MFA adds an additional layer of security by requiring users to provide two or more verification factors to gain access, significantly reducing the risk of unauthorised access. SSO simplifies the user authentication process by using a single set of credentials, minimising the potential for password-related security breaches.

Zero Trust: A Modern Approach Aligned with PCI DSS

The Zero Trust model operates on the principle of “never trust, always verify,” which is in harmony with the principles of Requirement 10. By assuming that threats can exist both outside and inside the network, Zero Trust necessitates continuous verification of all users and devices, ensuring that access is securely controlled and monitored.


Utilising SIEM for Effective Log Management and Threat Response

Security Information and Event Management (SIEM) systems are integral to fulfilling PCI DSS Requirement 10. They serve as the backbone for logging and monitoring activities that protect cardholder data.

The Role of SIEM in Log Management

SIEM solutions are designed to centralise the logging of all user activities and system events, providing a comprehensive view of your security landscape. By aggregating data from various sources, SIEM enables you to detect patterns and anomalies that could indicate a security threat, ensuring compliance with Requirement 10’s mandate for meticulous monitoring.

SIEM’s Contribution to Threat Detection and Response

In the context of PCI DSS, SIEM systems are invaluable for their real-time threat detection capabilities. They analyse log data to identify suspicious activities, alerting you to potential breaches swiftly. This prompt response is crucial for minimising the impact of security incidents and maintaining the integrity of cardholder data.

Essential Features of a SIEM System

A robust SIEM system should offer features such as automated log aggregation, real-time analysis, customizable alerts, and comprehensive reporting. These features support the detection of anomalies and facilitate the forensic analysis of events, which are key components of PCI DSS compliance.

Complementing SIEM with ISMS.online

Our platform, ISMS.online, complements SIEM systems by providing a framework for managing your security policies and procedures. We offer tools that enhance your SIEM’s capabilities, ensuring that your log management processes are not only compliant with PCI DSS Requirement 10 but also optimised for maximum security efficacy. With ISMS.online, you can achieve a robust security posture that is both proactive and resilient.


Aligning PCI DSS Requirement 10 with ISO 27001:2022

When you’re navigating the complexities of PCI DSS Requirement 10, understanding its alignment with ISO 27001:2022 controls can provide a broader perspective on compliance. At ISMS.online, we help you map these requirements to ensure a comprehensive approach to your information security management.

Detailed Mapping of PCI DSS Requirement 10 to ISO 27001:2022

  • Requirement 10.1: Defined Logging and Monitoring Processes
  • ISO 27001:2022 Controls:

    • A.8.15 Logging: Ensuring actions are recorded and examined.
    • A.8.16 Monitoring activities: Regularly checking for anomalies.
    • 5.3 Organisational roles, responsibilities, and authorities: Clarifying accountability within your organisation.
  • Requirement 10.2: Implementation of Audit Logs

  • ISO 27001:2022 Control:

    • A.8.15 Logging: Supporting anomaly detection and event analysis.
  • Requirement 10.3: Protection of Audit Logs

  • ISO 27001:2022 Controls:

    • A.8.15 Logging: Safeguarding logs from tampering.
    • 5.3 Organisational roles, responsibilities, and authorities: Assigning specific duties for log protection.
  • Requirement 10.4: Review of Audit Logs

  • ISO 27001:2022 Controls:

    • A.8.15 Logging: Identifying irregularities in system use.
    • A.8.16 Monitoring activities: Continuous oversight of security events.
  • Requirement 10.5: Retention of Audit Log History

  • ISO 27001:2022 Control:

    • A.8.15 Logging: Preserving historical data for thorough analysis.
  • Requirement 10.6: Time-Synchronisation Mechanisms

  • ISO 27001:2022 Control:

    • A.8.17 Clock synchronisation: Ensuring consistent timestamps across systems.
  • Requirement 10.7: Response to Security Control Failures

  • ISO 27001:2022 Control:

    • A.8.16 Monitoring activities: Prompt detection and action on security system failures.

Our platform provides the tools and guidance necessary to align these critical security requirements, ensuring that your compliance efforts are both effective and recognised across multiple frameworks.



ISMS.online and PCI DSS Requirement 10 Compliance

Navigating the complexities of PCI DSS Requirement 10 can be challenging. At ISMS.online, we specialise in providing comprehensive support to ensure your organisation meets these critical log and monitoring requirements.

Tailored Solutions for Your Compliance Needs

We understand that each organisation is unique, with specific compliance challenges. That’s why we offer tailored solutions to fit your particular needs:

  • Customisable Compliance Frameworks: Our platform adapts to your business, providing the necessary tools to document, implement, and manage Requirement 10 controls.
  • Integrated Policy Management: We help you develop and disseminate monitoring policies that are both compliant and aligned with your organisational practices.

Enhancing Your Data Security Measures

Partnering with ISMS.online not only supports compliance but also enhances your overall data security measures:

  • Centralised Log Management: Our system centralises your log data, making it easier to monitor, review, and respond to potential security incidents.
  • Automated Alerting Systems: Stay ahead of threats with our automated alerting, which notifies you of any suspicious activities in real-time.

Choosing ISMS.online for Comprehensive Compliance Support

Selecting ISMS.online for your PCI DSS Requirement 10 compliance offers several advantages:

  • Expertise: Our team has extensive knowledge of PCI DSS requirements and best practices.
  • Efficiency: Streamline your compliance processes with our all-in-one platform.
  • Security: Enhance your security posture with our robust tools and features.

Contact us today to learn how we can assist your organisation in achieving and maintaining compliance with PCI DSS Requirement 10 and beyond.

Book a demo


PCI DSS Requirements Table

PCI DSS Requirement NumberPCI DSS Requirement Name
PCI DSS Requirement 1Install and Maintain a Firewall Configuration to Protect Cardholder Data
PCI DSS Requirement 2Do Not Use Vendor-Supplied Defaults for System Passwords and Other Security Parameters
PCI DSS Requirement 3Protect Stored Cardholder Data
PCI DSS Requirement 4Encrypt Transmission of Cardholder Data Across Open, Public Networks
PCI DSS Requirement 5Protect All Systems Against Malware and Regularly Update Antivirus Software or Programs
PCI DSS Requirement 6Develop and Maintain Secure Systems and Applications
PCI DSS Requirement 7Restrict Access to Cardholder Data by Business Need to Know
PCI DSS Requirement 8Identify and Authenticate Access to System Components
PCI DSS Requirement 9Restrict Physical Access to Cardholder Data
PCI DSS Requirement 10Track and Monitor All Access to Network Resources and Cardholder Data
PCI DSS Requirement 11Regularly Test Security Systems and Processes
PCI DSS Requirement 12Maintain a Policy That Addresses Information Security for All Personnel

complete compliance solution

Want to explore?
Start your free trial.

Sign up for your free trial today and get hands on with all the compliance features that ISMS.online has to offer

Find out more

Explore ISMS.online's platform with a self-guided tour - Start Now