Audit Logging for Compliance
Using Cresora audit logs to meet PCI DSS and regulatory requirements.
Cresora maintains comprehensive audit logs to help you meet PCI DSS Requirement 10 and other regulatory audit trail requirements.
PCI DSS Requirement 10
PCI DSS Requirement 10 mandates audit trails for:
- All access to cardholder data
- All system administration actions
- All authentication attempts (successful and failed)
- Use of and changes to cryptographic keys
Cresora's audit logs cover your API activity and Partner Portal actions, providing evidence for these requirements.
Accessing audit logs
Partner Portal → Reporting → Audit Log
Filter by:
- Date range
- Actor (API key or user)
- Event type
- Merchant
Via API:
GET https://api.cresoracommerce.com/v1/audit-log?start=2026-05-01&end=2026-05-31
Authorization: Bearer csk_test_xxxxxxxxxxxxLog retention for compliance
| Standard | Required retention | Cresora retention |
|---|---|---|
| PCI DSS Req 10.5 | 12 months online, 12 months archival | 90 days online; contact Cresora for extended archival |
| NACHA | 2 years | Not applicable (stored by you) |
| SOX (if applicable) | 7 years | Contact Cresora |
For PCI DSS compliance, you must maintain audit logs for 12 months with the last 3 months immediately available. Cresora retains API logs for 90 days. For longer retention, use the Reporting API to export and archive logs in your own infrastructure.
Exporting audit logs
Automate log export for long-term archival:
# Export audit log for a date range
GET /v1/audit-log?start=2026-05-01&end=2026-05-31&format=jsonStore exported logs in immutable storage (AWS S3 with object lock, Azure Blob with immutability policy, etc.) to meet PCI DSS tamper-evidence requirements.