According to the PCI DSS v3.2.1 Quick Reference Guide 1 , audit logs must be retained for at least 1 year, with the most recent 3 months immediately available. This is one of the requirements for ensuring that audit logs are available for review and analysis.

According to requirement 3.1.2, multi-tenant service providers must ensure that customers cannot access another entity’s cardholder data environment, which means they should isolate each customer’s cardholder data from other customers’ cardholder data and prevent unauthorized access or disclosure. This is one of the requirements for ensuring that multi-tenant service providers protect each customer’s cardholder data.

According to the PCI DSS v3.2.1 Quick Reference Guide 1 , quarterly means occurring at some point in each quarter of a year, not at least once every 95 or 97 days. This is one of the requirements for ensuring that PCI DSS assessments are conducted on a regular basis.

According to requirement 1, network security controls are intended to control network traffic between two or more logical or physical network segments, which means they should prevent unauthorized access, modification, or disclosure of cardholder data or transactions over the network. This is one of the requirements for ensuring that network security controls are implemented and maintained in accordance with PCI DSS.

The Secure SLC standard is one of the two standards that are part of the PCI Software Security Framework (SSF), which provides security requirements and assessment procedures for software vendors to integrate into their software development lifecycles and to validate that secure lifecycle management practices are in place 1 2 .  The Secure SLC standard is designed to offer a more flexible approach to how the security and integrity of payment software is tested, and to address the evolving threat landscape and changes in software development practices 3 .

The PCI DSS Requirement 6 states that entities must develop and maintain secure systems and applications, and it includes several sub-requirements that cover various as pects of software security, such as change control, secure coding, vulnerability management, and patching 4 .  By using custom software that is compliant with the Secure SLC standard, an entity may be able to meet some or all of these sub-requirements, as the Secure SLC standard covers similar topics and ensures that the software is developed and maintained in a secure manner throughout its entire lifecycle 1 .  However, this does not automatically make the entity PCI DSS compliant, as there are other requirements and controls that the entity must implement and validate, such as network security, access control, monitoring, and incident response 4 . Therefore, the correct answer is option B.

The other options are not true regarding the impact of using custom software that is compliant with the Secure SLC standard on the PCI DSS assessment. Option A is not true because, as explained above, the entity still has to comply with other PCI DSS requirements and controls that are not covered by the Secure SLC standard. Option C is not true because there is a positive impact to the entity, as it may help the entity to meet several requirements in Requirement 6 and to demonstrate that the custom software is secure and reliable. Option D is not true because the custom software cannot be excluded from the PCI DSS assessment, as it is part of the cardholder data environment (CDE) and it may store, process, or transmit cardholder data or sensitive authentication data.  The entity must ensure that the custom software meets the PCI DSS requirements and controls that are applicable to it, and that the assessor validates its compliance 4 .  References :

Software Security Framework Secure Software Life Cycle (Secure SLC) Standard

PCI Security Standards Council Publishes Version 1.1 of Secure Software Lifecycle (SLC) Standard and Program

PCI Security Standards Council Publishes Version 1.1 of Secure Software Standard and Program

PCI DSS v3.2.1

According to the PCI DSS v3.2.1 Quick Reference Guide 1 , internal vulnerability scans must be performed after a significant change in any component or configuration that affects cardholder data or payment processing systems. This is one of the requirements for identifying and mitigating vulnerabilities that could compromise cardholder data.

According to requirement 4, an entity must monitor its TPSP’s PCI DSS compliance status at least annually, which means it should review its TPSP’s policies and procedures for protecting cardholder data and transactions against fraud and other threats at least once a year. This is one of the requirements for ensuring that an entity monitors its TPSP’s PCI DSS compliance status regularly.

Segmentation is a method of isolating system components that store, process, or transmit cardholder data from systems that do not, by using security controls such as firewalls, routers, switches, or other devices 1 .  Segmentation can reduce the scope of the cardholder data environment (CDE) and thus reduce the scope of the PCI DSS assessment, as only the systems and networks within the CDE or connected to the CDE are subject to PCI DSS requirements 2 .  Virtual LANs (VLANs) are one example of such a security control, as they can create logical subnetworks that separate different types of traffic and restrict access between them 3 . Therefore, the correct answer is option C.

The other options are not true regarding the scenario that describes segmentation of the cardholder data environment (CDE) for the purposes of reducing PCI DSS scope. Option A is not true because routers that monitor network traffic flows between the CDE and out-of-scope networks are not sufficient to isolate the CDE, as they do not prevent or limit the traffic flows. Option B is not true because firewalls that log all network traffic flows between the CDE and out-of-scope networks are not sufficient to isolate the CDE, as they do not block or filter the traffic flows. Option D is not true because a network configuration that prevents all network traffic between the CDE and out-of-scope networks is not realistic or feasible, as some traffic may be necessary for business or legal reasons, such as payment processing, reporting, or auditing.  References :

Network Segmentation - PCI Security Standards Council

Guidance for PCI DSS Scoping and Network Segmentation

VLANs and PCI Compliance: What You Need to Know