What is the minimum retention period for audit logs?

The minimum retention period for audit logs, as specified in the PCI DSS, is indeed 1 year. This requirement ensures that organizations maintain adequate records of activity involving cardholder data and transactions for a sufficient period. Keeping logs for a year allows for the analysis of past events, which can aid in identifying security breaches or patterns of suspicious activity.

Additionally, having a longer retention policy can also support forensic investigations when needed. However, the PCI DSS mandates a minimum of one year to ensure compliance and to balance the need for security and operational capacity. Retaining audit logs for this period allows for ongoing monitoring and can help organizations demonstrate compliance during assessments or audits.