PCI DSS defines a numRequirement 10.4.1 defines several events and system types that require daily log reviews, ber of events and system types that require daily lout Requirement 10.4.2 allows the organization to determine the log reviews, and allows the organization to determine the log review frequency for all other in-scope events and systems that do not fall into those categoriesunder Requirement 10.4.1.

For some environments, it is possiall in-scope systems could fall under the system categories defined in Requirement 10.4.1, meaning that daily log reviews are required for all in-scope systems. In other environments, there may ble that all in-scope systems fall under the system categories define systems that are considered in scope, but which do not meet the bullets specified in Requirement 10.6.1, meaning that daily log reviews are required for all in-scope systems. In other environments, there may be many different types of system that are considered in scope, but which are not critical systems and neither store, process or transmit CHD nor provide security services to the CDE4.1. Some possible examples could be stock-control or inventory-control systems, print servers, or certain types of workstations.

Requirement 10.4.2.1 specifies that the frequency of periodic log reviews for all other system components (assuminnot defined in Requirement 10.4.1) is defined in the entity’s targ there is no printeted risk analysis, which is performed according of CHD) or certain types of workstations. For these events or systems, the entity, as part of its annual risk assessment process, is expected to define the frequency for log reviews based on the risk to its specific environment.to all elements specified in Requirement 12.3.1.