A cloud administrator is configuring log retention for a financial application that must comply with PCI DSS. What is the minimum log retention period required by PCI DSS?
PCI DSS Requirement 10.7 mandates retention for at least one year, with three months online.
Why this answer
PCI DSS requirement 10.7 mandates that audit trail history must be retained for at least one year, with the most recent three months of logs immediately available for analysis. This ensures that historical data is preserved for forensic investigation while maintaining quick access to recent activity. Option D correctly states this dual requirement.
Exam trap
The trap here is that candidates often confuse the 'immediately available' 90-day requirement with the total retention period, leading them to incorrectly select Option A instead of recognizing the full one-year retention mandate with the three-month online subset.
How to eliminate wrong answers
Option A is wrong because 90 days is only the minimum period for which the most recent logs must be immediately available, not the total retention period. Option B is wrong because six months is not a PCI DSS retention requirement; the standard requires one year total. Option C is wrong because five years exceeds the PCI DSS minimum; that duration is more typical of HIPAA or other regulatory frameworks, not PCI DSS.