[PCI DSS 1.x] 10.2.1 All individual accesses to cardholder data

10.2.1 All individual access to cardholder data

Does that mean to add the trigger to log each SELECT statement on, say PAN column in the database?
Our QSA insists on such interpretation, though it has a huge performance impact :mad:

Read what the control says - ‘INDIVIDUAL’ is the key word. Shared system account monitoring is no good, you need to trace the process back to a point where you can log an INDIVIDUAL’s access (ie logging on the application server).
Two places you would generally enable this - firstly on the SQL server itself to identify any root/admin/dba users whom are accessing CHD (authorized or not) and secondly on the application server to monitor your customers (if they can access full CHD if that is).