What is the minimum retention period for audit trails and the requirement that some be available online?

• A. Audit logs can be retained indefinitely.
• B. Audit logs must be retained for six months.
• C. Audit logs must be retained for two years.
• D. Audit logs must be retained for at least one year with a minimum of three months online.

Answer: (D)

Auditing and monitoring require a balance between keeping enough history for investigations and having recent activity ready for quick review. PCI DSS mandates that audit trail history be retained for at least one year, with a minimum of three months of that history available online for immediate review. This ensures you can perform thorough forensic analysis over the past year while still having the most recent logs readily accessible for ongoing security monitoring. Longer retention is allowed, but not required by the standard, and options that propose shorter periods don’t meet the minimum, while an indefinite retention approach goes beyond the specified minimum.