In accordance with PCI DSS Requirement 10, how long must audit logs be retained?

The correct answer is based on the specific requirements outlined in PCI DSS Requirement 10, which pertains to the retention of audit logs. According to this requirement, organizations are mandated to retain audit logs for at least one year. Furthermore, it specifies that these logs must be readily available for at least the past three months to ensure that they can be accessed quickly in the event of an investigation or incident response.

The focus on retaining logs for a minimum of a year is critical because it helps organizations to maintain a comprehensive record of access and activity that could be vital for understanding security events over time. The three-month aspect of availability ensures that more recent activity can be reviewed without delay, as this time frame typically aligns with the period where incidents might be most relevant for immediate analysis.

Options suggesting longer retention periods or different availability timelines deviate from this specific requirement, potentially leading organizations to hold onto logs for periods that are not necessary or not mandated, thus complicating data management without providing tangible benefits in compliance. In summary, the importance of both the one-year retention and the three months of availability lies in the balance between security auditing and efficient data management.