What process should be followed for changes to system components?

• A. Follow change control processes and procedures for all changes to system components.
• B. Change control is optional for minor changes.
• C. Only major changes require change control.
• D. Change control applies only to production environment.

Answer: (A)

Change control is the formal, documented process for approving, testing, implementing, and auditing any modification to system components. PCI DSS requires applying this for all changes to system components—no exceptions for minor changes or for non-production environments. This ensures each change is properly authorized, tested in a controlled setting, documented, and reversible if needed, helping to prevent security gaps and unintended impacts on controls. Minor changes aren’t exempt, and change control isn’t limited to production; development and testing environments must also be governed to maintain security and consistency. Thus, the correct approach is to follow change control processes and procedures for all changes to system components.