What is the retention requirement for audit trail history?

The key idea is how long and how accessibly audit logs must be kept under PCI DSS. The standard requires audit log histories to be retained for at least one year, with the most recent three months available online for quick review and monitoring. This setup ensures you can investigate recent activity without delay while still preserving a substantial period of historical data for forensic analysis or compliance checks. The other options don’t match this requirement: six months is shorter than the mandated one year; keeping two years online exceeds the specified online window of three months; retaining logs indefinitely goes beyond the minimum one-year rule and isn’t what PCI DSS requires.