Audit Log Description

PCI Std. Requirement Theatre Manager Implementation
10.2 Implement automated audit trails for all system components to reconstruct the following events:
10.2.1 All individual accesses to cardholder data Theatre Manager creates an 'AC' transaction to track whenever a user sees the entire credit card number. By default, Theatre Manager displays masked card numbers in all windows and reports. Only in specific places will Theatre Manager display card information to those who have specific authorization to see cards. Therefore, you should expect to see very little information in the audit log if you minimize who has access to see full card data.

The act of accepting a credit card at the box office is tracked with a PT audit transaction - i.e. the actual payment - and can be tracked by the user that way. Since this is a normal business act (accepting a card from a patron and typing it in), it is not necessary to also create an audit log.

None of these transactions can be purged.

10.2.2 All actions taken by any individual with root or administrative privileges An administrative user is subject to the same rigorous requirements as all other users.
10.2.3 Access to all audit trails Theatre Manager does not track who views audit trails because they cannot be changed, manipulated or altered by the user in any way. We believe that when users know this information is tracked for PCI compliance, it acts as an additional deterrent. None of the logs ever display sensitive data.
10.2.4 Invalid logical access attempts Theatre Manager tracks who accesses Theatre Manager and when they log in or out via the 'ALI' and 'ALO' transactions.

'ALX' transactions track invalid login attempts (after 3 mistyped passwords), or when the user account is locked out.

These transactions cannot be purged.

10.2.5 Use of identification and authentication mechanisms Theatre Manager uses login and authentication mechanisms. All users of the application must log in.
10.2.6 Initialization of the audit logs The audit logs can never be 'initialized' by the user, nor can be they be cleared except under programmatic control. The minimum retention time is 365 days for audit transactions with the default being forever. Payment logs indicating who took the actual payment are retained forever and cannot be deleted.
10.2.7 Creation and deletion of system-level objects  
10.3 Record at least the following audit trail entries for all system components for each event:

10.3.1 User identification yes - see log example in the user column.
10.3.2 Type of event yes - see log example for the specific transaction codes, expanded description and details about the specific activity.
10.3.3 Date and time yes - see log example
10.3.4 Success or failure indication yes - see log example. Failure logs show when a user tries to log in and forgot their password.
10.3.5 Origination of event yes - see log example for the IP address of the machine that created the event and the user
10.3.6 Identity or name of affected data, system component, or resource yes - see log example - this illustrates an example where a user viewed a specific credit card in full. The patron's name is displayed in the first and last name column.