Frequently Asked Question

Can PCI DSS compliance be determined by testing only pre-production environments using test data?
No. There are many tests the assessor would be unable to perform in a pre-production or test environment, and it is unlikely that such testing would meet the intent of a PCI DSS assessment.
If an assessment is planned prior to the production environment going “live”, reviewing the pre-production environment may help the assessor gain advance understanding of how the environment will actually function, which may assist with the assessment when the environment is in production. However, the assessor could not complete a PCI DSS assessment nor could they state that all applicable requirements are “in place” until the environment is in use. As an example, the assessor would be unable to confirm whether audit logs are capturing the necessary information if the environment is not operational.
Related
Featured FAQ Articles
Most Recently Updated
-
Is the expectation that any PFI investigation initiated must result in a PFI Final Report?
-
Can SAQ eligibility criteria be used for determining applicability of PCI DSS requirements for assessments documented in a Report on Compliance?
-
Do PCI DSS requirements for keyed cryptographic hashing apply to previously hashed PANs?