Does the PCI require to protect the Credit Card Info in the transaction log?

Question

The PCI Data Security Standard https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf forbid storing Credit Card info in the transaction log

3.2.1 For a sample of system components, examine data sources, including but not limited to the following, and verify that the full contents of any track from the magnetic stripe on the back of card or equivalent data on a chip are not stored under any circumstance: Incoming transaction data

• All logs (for example, transaction, history, debugging, error)
• History files
• Trace files
• Several database schemas
• Database contents

Could anybody with read access to the log or log backup file be able to read CC number? It is not in a clear text. Still, is it possible to decript it? Is it enough to restrict user access to the log and log backup files?

Answer 1

This means text logs, such as those from Log4net.
Not database redo/undo/transaction files

Why?

PCI says that Credit card numbers (PAN) should be sent and stored as encrypted in the database, which means only the encrypted value will appear in any database log file (whether an error log or the actual redo/undo/transaction log file). See Page 8 and item 3.4 of your document for this.

Edit, after @Shark's observation

• The database doesn't do encryption/decryption: only storage, no processing
• The sending/receiving application does encryption/decryption: only processing, no storage