Which PCI DSS requirement covers developing and maintaining secure systems and applications?

• A. Maintain a policy that addresses information security for all personnel
• B. Develop and maintain secure systems and applications
• C. Identify and authenticate access to system components
• D. Encrypt transmission of cardholder data across open networks

Answer: (B)

The main idea here is building and keeping software and systems secure throughout their life cycle. This means applying secure coding practices, implementing a secure software development life cycle, regularly testing for vulnerabilities, and ensuring timely patching and controlled changes so new code doesn’t introduce weaknesses. It’s the PCI DSS requirement that specifically focuses on how systems and applications are developed and kept secure, rather than just having a security policy, determining who can access components, or encrypting data in transit. The other areas address policy for personnel, authentication/access control, and protecting data in transit—important parts of PCI DSS, but not the one that directly covers developing and maintaining secure systems and applications.