Menu
Back to homepage

PAYMENT GATEWAY

Back to homepage

[THK] F.5.4 Auditability and Retention

Auditability and retention ensure that system activity and transaction processing can be reviewed, verified, and reconstructed over time, supporting operational analysis, incident investigation, and compliance requirements.

They provide the foundation for accountability, enabling the Merchant to demonstrate how transactions were processed and how system behavior evolved under real-world conditions.

Auditability Principles

Auditability requires that all relevant system activity can be consistently traced and verified.

  • The Merchant system must ensure that:
    • All significant events are recorded and retained
    • Actions affecting transaction processing are traceable
    • System behavior can be reconstructed from historical data

Auditability must enable:

  • Verification of transaction outcomes
  • Reconstruction of execution flows
  • Analysis of system behavior during incidents

Auditability depends on the consistent application of logging and correlation practices, as defined in F.5.1 Logging Principles and F.5.2 Correlation and Traceability.

Retention of Logs and Audit Data

Logs and audit data must be retained for an appropriate and defined period to support operational and compliance needs.

  • The Merchant system must ensure that:
    • Logs are retained for a duration aligned with business, operational, and regulatory requirements
    • Retention policies are consistently applied across all environments
    • Archived logs remain accessible for investigation and audit purposes

Retention must balance:

  • The need for historical visibility
  • Storage and operational considerations

Loss or premature deletion of logs may prevent effective investigation and audit.

Integrity and Protection of Logs

Logs must be protected against unauthorized access, alteration, or deletion.

  • The Merchant system must ensure that:
    • Logs are stored in a secure and controlled manner with restricted access
    • Access to logs is restricted and monitored
    • Log data cannot be altered without detection

Integrity controls must ensure that:

  • Logs accurately reflect the events that occurred
  • Historical data remains trustworthy over time

Protection of logs is essential to maintain confidence in audit and investigation processes.

Audit Trails

Audit trails must provide a coherent record of system activity.

  • The Merchant system must ensure that:
    • Actions affecting transactions and system behavior are recorded in a traceable manner
    • Audit trails link related events across the transaction lifecycle
    • Changes and decisions can be traced to their origin

Audit trails must support:

  • Identification of who or what performed an action
  • Understanding of when actions occurred
  • Reconstruction of how transaction outcomes were reached

Audit trails rely on consistent logging and correlation to provide meaningful historical insight.

Access and Availability of Audit Data

Audit data must be accessible to authorized personnel in a timely manner when required.

  • The Merchant system must ensure that:
    • Logs and audit records can be retrieved in a timely manner
    • Access is controlled according to security and operational requirements
    • Audit data is available for investigation, troubleshooting, and compliance activities

Restricted or delayed access to audit data may hinder incident response and analysis.

Consistency Across Environments

Auditability and retention practices must be applied consistently across all environments.

  • The Merchant system must ensure that:
    • Logging, correlation, and retention policies are aligned across development, testing, and production environments
    • Differences between environments do not introduce gaps in auditability

Consistent practices ensure that behavior observed in one environment can be reliably interpreted and compared with others.

Compliance and Operational Requirements

Auditability and retention must support applicable compliance and operational requirements.

  • The Merchant system must:
    • Ensure that audit data meets relevant regulatory and business obligations
    • Maintain sufficient historical records to support audits and reviews

Auditability must enable the Merchant to demonstrate:

  • Correct processing of transactions
  • Proper handling of operational issues
  • Adherence to defined procedures and controls

Key Principle

Auditability and retention must be enforced as system-wide capabilities, ensuring that all relevant system activity and transaction processing can be reliably recorded, protected, and reviewed over time, supporting accountability, investigation, and compliance under real-world conditions.

On this page:

Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

Strictly Necessary Cookies

Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.