What does PCI DSS require regarding file-integrity monitoring for logs?

• A. Use file-integrity monitoring or change-detection software on logs to ensure existing log data cannot be changed without generating alerts (new data being added should not cause an alert)
• B. Do not monitor logs
• C. Regularly delete logs
• D. Disable logs during maintenance

Answer: (A)

FIM for logs centers on preserving the integrity of evidence. PCI DSS requires a change-detection mechanism so you’re alerted if someone tampers with critical files, and log files are a prime example of those evidence-worthy files. The point is not to stop logs from growing with new data—that’s a normal, expected activity—but to detect unauthorized modifications to existing log content. If someone tries to alter, delete, or corrupt past log entries, the monitoring system should trigger an alert, helping you respond and maintain a reliable audit trail for investigations.

Choosing not to monitor logs, regularly deleting them, or disabling them during maintenance would leave tampering invisible, erase important records, and weaken your security controls—exactly what PCI DSS aims to prevent.