Detection and response depend entirely on the quality of logging and monitoring. Requirements 10 and 11 create the surveillance capability that enables organizations to detect suspicious activity, investigate incidents, and verify that security controls are operating correctly. Together they provide both the ongoing monitoring (Requirement 10) and the periodic independent testing (Requirement 11) that validate the CDE's security posture.
Requirement 10 — Audit Logging
What Must Be Logged
PCI DSS v4.0 specifies the events that must generate audit log entries for all system components in the CDE.
- All individual user access to cardholder data
- All actions taken by any individual with root or administrative privileges
- Access to all audit trails (the logs themselves)
- Invalid logical access attempts
- Use of and changes to identification and authentication mechanisms (including creation of new accounts, elevation of privileges)
- Initialization, stopping, or pausing of audit logs
- Creation and deletion of system-level objects
| KEY IDEA | The requirement to log "all access to audit trails" is often overlooked — but it is critical. An attacker who can delete or modify audit logs can erase evidence of their actions. PCI DSS requires logging the access to logs themselves, and the log integrity controls (write-once, append-only, cryptographic hashing) make log tampering detectable. |
Log Content Requirements
Each log entry must contain: the type of event, date and time, success or failure, origination of event, identity of affected data/component/resource, and the identity of the user responsible.
Log Protection and Integrity
Audit logs must be protected from modification, deletion, and unauthorized access. Techniques: write-only/append-only storage, cryptographic hashing of log entries, sending logs to a centralized log server separate from the systems that generated them, strict access controls.
Log Retention
Logs must be retained for at least 12 months. At least 3 months of logs must be immediately available for analysis (online or near-online). Older logs may be archived but must be retrievable.
Daily Log Review
Logs from all in-scope system components must be reviewed at least daily. For high-volume environments, automated SIEM (Security Information and Event Management) systems are the practical implementation — with alerting for anomalous or suspicious events.
| Logging Component | Requirement | Typical Implementation |
|---|---|---|
| Centralized log server | All CDE logs forwarded to centralized server | SIEM platform, syslog aggregator, cloud logging service |
| Log integrity protection | Logs cannot be modified or deleted | Write-once storage, cryptographic hashing, SIEM ingestion with integrity checks |
| Daily review | Daily review of logs for anomalous activity | SIEM alerting rules, SOC monitoring, automated anomaly detection |
| 12-month retention | Logs kept for 12 months; 3 months immediately available | Log rotation to archive storage, retrieval procedures documented |
| Time synchronization | All system clocks synchronized to NTP | NTP hierarchy, time server documentation |
Requirement 11 — Security Testing
Internal Vulnerability Scanning
Internal vulnerability scans must be performed at least quarterly by a qualified internal resource or qualified third party. All High and Critical vulnerabilities must be remediated and the system rescanned until all High and Critical findings are resolved before the scan can be considered passing.
External Vulnerability Scanning — ASV Required
External vulnerability scans of all internet-facing systems in the CDE must be performed at least quarterly by an Approved Scanning Vendor (ASV). ASVs are companies approved by the PCI SSC to perform external scanning. The ASV scan must achieve a passing status — all High and Critical vulnerabilities remediated and rescanned.
Penetration Testing
Annual penetration testing of the entire CDE — both network and application layers. Penetration testing is distinct from vulnerability scanning: it involves actively attempting to exploit vulnerabilities, not just identifying them. Methodology must cover both external and internal attack paths. Significant changes to the CDE also trigger penetration testing.
Network Segmentation Testing
Organizations that rely on network segmentation to reduce PCI DSS scope must test that segmentation annually (and after any significant change). Segmentation testing verifies that out-of-scope systems truly cannot communicate with CDE systems.
Payment Page Change Detection (Requirement 11.6.1 — New in v4.0)
New requirement: a change and tamper detection mechanism must alert personnel to unauthorized modification of HTTP headers and contents of payment pages. This can be implemented using Content Security Policy (CSP) headers, Sub-Resource Integrity (SRI) checks, or dedicated payment page monitoring solutions.
| IMPORTANT | Requirement 11.6.1 (payment page change detection) is a companion to 6.4.3 (JavaScript management). Together they create a comprehensive defense against JavaScript skimming: 6.4.3 ensures all scripts are authorized, and 11.6.1 detects when unauthorized changes are made. These requirements became mandatory in March 2025 and are now fully enforced in QSA assessments. |
| ASV scanning is one of the most operationally challenging ongoing requirements for Indonesian organizations. The quarterly cadence means there are four scan cycles per year, each potentially revealing new vulnerabilities that must be remediated and rescanned before a passing report can be submitted. Building an internal vulnerability management process — not just a once-per-quarter scan — is the only sustainable path. |