Which statement reflects PCI DSS requirement 6.4.3 about using production data for testing?

• A. Production data (live PANs) are not used for testing or development
• B. Production data may be used for testing if masked
• C. Production data should be copied to development environment as-is for testing
• D. Production data can be used for performance testing without masking

Answer: (C)

The rule here is about protecting cardholder data when it’s used for testing. PCI DSS requires that production data not be carried into non-production environments in its raw form. If production data is needed for testing, the sensitive fields—especially the primary account number—must be masked or otherwise obscured (or you should use synthetic data). This minimizes the risk of exposing PANs or other PCI data during development and testing.

So the statement that reflects this requirement is that production data may be used for testing only if it is masked. Copying production data as-is into a development environment or using it for performance testing without masking would create unnecessary exposure and does not align with the standard.