Testing with Live PANs
PCI DSS Requirement 6.4.3 requires that live PANs (Primary Account Numbers) only be used in secure
and controlled environments within the CDE.
Pre-production environments located within the CDE must adhere to all PCI DSS requirements for
security and monitoring.
Prohibited Uses
Testing with live PANs in environments outside the CDE violates PCI DSS. Only simulated data should
be used in less secure testing environments.
Incorrect Options
Option A: Production environments are for real transactions, not testing.
Option B: Test environments outside the CDE are insecure for live PANs.
Option D: The QSA environment is irrelevant to the organization’s CDE testing controls.
