Which PCI DSS requirement involves regularly testing security systems and processes?

• A. Maintain a policy that addresses information security for all personnel
• B. Encrypt transmission of cardholder data across open networks
• C. Regularly test security systems and processes
• D. Protect stored cardholder data

Answer: (C)

Regularly testing security systems and processes is about confirming that your security controls stay effective over time and after changes. This requirement focuses on verifying and validating defenses through activities like quarterly vulnerability scans, annual penetration testing, and testing of security-related processes such as change management, monitoring, and incident response. That combination of ongoing checks ensures vulnerabilities are identified and mitigated before they can be exploited, and that security controls continue to function as intended in the face of new threats or changes in the environment. The other options describe different PCI DSS areas—policy management for all personnel, encryption of cardholder data in transit, and protecting stored cardholder data—rather than the ongoing verification and testing of security controls.