What is required regarding access to audit trails?

• A. Audit trails may be accessed by any employee.
• B. Access to all audit trails must be restricted to authorized personnel.
• C. Access is not monitored.
• D. Access is logged but not restricted.

Answer: (B)

Access to audit trails must be restricted to authorized personnel. Audit trails record who did what in the system and often include sensitive information about cardholder data and security events. Limiting access to those with a legitimate business need helps protect the confidentiality and integrity of the logs, prevents tampering, and ensures accountability by allowing actions to be traced to specific, approved users. Implementing strict access controls, unique user IDs, and strong authentication, along with regular reviews of who can view or manage logs, aligns with PCI DSS expectations for secure, auditable records. Allowing all employees to access logs, leaving access unmonitored, or only logging access without restricting who can view the trails would undermine log security and the ability to detect and investigate incidents.