Frequently Asked Question

Can PCI DSS compliance be determined by testing only pre-production environments using test data?

No.  There are many tests the assessor would be unable to perform in a pre-production or test environment, and it is unlikely that such testing would meet the intent of a PCI DSS assessment.

If an assessment is planned prior to the production environment going “live”, reviewing the pre-production environment may help the assessor gain advance understanding of how the environment will actually function, which may assist with the assessment when the environment is in production.  However, the assessor could not complete a PCI DSS assessment nor could they state that all applicable requirements are “in place” until the environment is in use.  As an example, the assessor would be unable to confirm whether audit logs are capturing the necessary information if the environment is not operational.

July 2015
Article Number: 1333