The primary goal of an alarm system under PCI DSS is to enable a timely and effective response to a potential security breach. Relying exclusively on local police for alerts from a system prone to false positives (like an emergency exit) is a significant control failure. Law enforcement agencies are known to de-prioritize or delay responses to locations with a high frequency of false alarms, a phenomenon often referred to as "alarm fatigue." An assessor would identify this as a major risk, as the response may not be sufficiently prompt to prevent or mitigate a breach, rendering the security control ineffective for protecting the sensitive environment.

A. This is a secondary logistical issue concerning post-response actions, not the primary problem of ensuring a timely and reliable initial response to the alarm itself.

B. While it is a best practice for alarms to be centrally managed, this describes the procedural cause. The most critical problem for the assessment is the consequence—an unreliable response—as highlighted in option C.

D. This is a general statement about police availability. Option C is more specific and directly addresses the likely reason for non-response in this scenario: the system's design will lead to false positives, which degrades police response priority.

1. PCI Security Standards Council, Payment Card Industry Data Security Standard (PCI DSS) v4.0, March 2022.

Requirement 9.2.3: "Access to sensitive areas is controlled by an access control system..." The guidance for this requirement emphasizes that controls must be active and effective. An alarm system with an unreliable response mechanism fails to effectively control access. The standard requires processes to be in place, and a process that relies on a potentially non-responsive third party is not a reliable process.

2. U.S. Department of Justice, Office of Community Oriented Policing Services. The Police Response to False Alarms by Rana Sampson, 2007.

Page 1, Summary of the Problem: "In many communities, 90 to 98 percent of alarm calls are false... Consequently, police may assign alarm calls a low priority, and response times may be slow. In some jurisdictions, the police will not respond to unverified alarms." This official document directly supports the reasoning that frequent false-positive alerts will degrade the timeliness and reliability of the police response, which is the core issue in the question.

3. University of Florida, Department of Police. Alarm Management Program.

Section: False Alarm Prevention: University and municipal police documentation frequently outline policies for non-response or fines after a certain number of false alarms. The UFPD policy states, "The University of Florida Police Department will not respond to any alarm at a location where three or more false alarms have occurred in a 90-day period..." This type of official policy from a reputable institution demonstrates the real-world consequence described in option C.