Which PCI DSS requirement tracks and monitors all access to network resources and cardholder data?

• A. Regularly test security systems and processes
• B. Track and monitor all access to network resources and cardholder data
• C. Maintain a policy that addresses information security for all personnel
• D. Protect all systems against malware and regularly update anti-virus software or programs

Answer: (B)

Tracking and monitoring access to network resources and cardholder data is about creating an auditable trail of who accessed what, when, and from where, and making sure those logs are collected, protected, and reviewed. This is exactly what PCI DSS requires: automated audit trails for all access to network resources and cardholder data, plus ongoing monitoring to detect and respond to suspicious activity. Having these logs supports real-time alerts, forensic investigations, and proving compliance by showing who did what and when. The other items describe different controls—testing security systems and processes, maintaining a security policy for personnel, and protecting systems against malware. While important, they don’t address the specific practice of tracking and monitoring access.