Under theCustomized Approach, assessors are responsible forderiving and documenting the testing proceduresinAppendix E of the Report on Compliance (ROC). The assessor must ensure the controlmeets the requirement objectiveand validate it throughcustom testing.
Option A:❌Incorrect. Ongoing monitoring is the entity’s responsibility, not the assessor’s.
Option B:✅Correct. The assessor must derive anddocument testingin Appendix E.
Option C:❌Incorrect. The entity documents control details; the assessor documents test results.
Option D:❌Incorrect. Theentitymust perform the targeted risk analysis, not the assessor.
[Reference:PCI DSS v4.0.1 – Appendix D (Customized Approach) and Appendix E (ROC Template)., , ]
Question # 25
Where can live PANs be used for testing?
Options:
A.
Production (live) environments only.
B.
Pre-production (test) environments only if located outside the CDE.
C.
Pre-production environments that are located within the CDE.
D.
Testing with live PANs must only be performed in the QSA Company environment.
Requirement 6.4.3.1clarifies that if live PANs are to be used in testing, the test environment mustmeet all applicable PCI DSS controls. Thus,testing with live PAN is only allowed if the test environment is within the CDEand fully secured.
Option A:❌Incorrect. Testing should not happen in production.
Option B:❌Incorrect. It must be within the CDE if live PAN is involved.
Option C:✅Correct. Live PANs can be used inpre-production environments within the CDE.
Option D:❌Incorrect. There’s no requirement to test only within QSA environments.
[Reference:PCI DSS v4.0.1 – Requirement 6.4.3.1 and its Applicability Note., , ]
