How long should the visitor log be retained, unless law requires otherwise?

• A. Retain this log for a minimum of six months, unless otherwise restricted by law.
• B. Retain this log for a minimum of three months, unless otherwise restricted by law.
• C. Retain this log for a minimum of one year, unless otherwise restricted by law.
• D. Retain this log indefinitely.

Answer: (B)

The fundamental idea is to set a practical minimum retention window for visitor logs to support security review and incident response. Under PCI DSS, keeping visitor logs for a minimum period of 90 days (about three months) provides enough recent data to trace access to restricted areas and investigate events, while avoiding unnecessary long-term storage. If laws or regulations require a longer period, that would take precedence, but the standard baseline is three months. Retaining for six months or a year goes beyond the minimum and isn’t required by the standard, and keeping logs indefinitely introduces privacy and storage concerns. So the best choice is to retain the visitor log for a minimum of three months, unless law requires otherwise.