According to the PCI DSS v3.2.1 Quick Reference Guide 1 , a different certificate is assigned to each individual user account, and certificates are not shared. This is one of the requirements for preventing unauthorized access to cardholder data using digital certificates.

According to the PCI DSS v3.2.1 Quick Reference Guide 1 , business facilities and system components can be sampled for testing during a PCI DSS assessment, as long as they are not critical components or components that are not in scope for testing. This is one of the requirements for ensuring that testing covers all relevant components and processes.

According to the PCI DSS v3.2.1 Quick Reference Guide 1 , system configuration and parameter files must be monitored by a change-detection mechanism (for example, a file-integrity monitoring tool). This is one of the requirements for ensuring that changes to system configuration and parameter files are detected and verified.

According to the PCI DSS v3.2.1 Quick Reference Guide 1 , assigning a unique ID to each person is intended to ensure individual users are accountable for their own actions, rather than shared accounts or group accounts based on need-to-know. This is one of the requirements for ensuring that user accounts are properly managed and controlled.

According to the PCI DSS v3.2.1 Quick Reference Guide 1 , pre-production environments that are located within the cardholder data environment can be used for testing, as long as they are not accessible from untrusted networks and are monitored for any changes or vulnerabilities. This is one of the requirements for ensuring that testing environments are isolated from production environments.

According to the PCI DSS v3.2.1 Quick Reference Guide 1 , passwords for default accounts and default administrative accounts should be changed before installing a system on the network. This is one of the requirements for preventing unauthorized access to cardholder data.

PCI DSS Requirement 12.10.1 requires entities to implement an incident response plan that includes roles, responsibilities, and communication and contact strategies for a data security incident, including notification of relevant payment brands 1 .  This is important because each payment card brand has its own policies and procedures for dealing with a security breach, and failing to follow them or meet reporting deadlines could result in fines or loss of authority to process payment card transactions 2 .  Therefore, an incident response plan must include procedures for notifying PCI SSC of the security incident, as well as any other entities that may require notification, whether by contract or law 1 .  References :

Guidance for PCI DSS Scoping and Network Segmentation

Responding to a Cardholder Data Breach

all network transmissions must be logged by an entity’s security information and event management (SIEM) system or equivalent tool, which means they should record all network events and activities related to cardholder data processing and transmission. This is one of the requirements for ensuring that network transmissions are monitored and audited.

 The Software Security Framework (SSF) is a collection of standards and programs for the secure design and development of payment software 1 .  The SSF replaces the Payment Application Data Security Standard (PA-DSS) with modern requirements that support a broader array of payment software types, technologies, and development methodologies 2 .  The SSF applies to any payment software that is part of the cardholder data environment (CDE), which is the people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data 3 . Therefore, the correct answer is option A.

The other options are not true regarding the applicability of the SSF to different software types. Option B is not true because the SSF is not limited to software that runs on PCI PTS devices, which are hardware devices that accept payment card data at the point of interaction. The SSF covers software that runs on various platforms and devices, such as web servers, mobile devices, cloud services, and embedded systems. Option C is not true because the SSF is not limited to validated payment applications that are listed by PCI SSC and have undergone a PA-DSS assessment, which are payment applications that have been validated by PA-DSS assessors and meet the PA-DSS requirements. The SSF covers payment software that may not be eligible for PA-DSS validation, such as software that is developed by merchants or service providers for their own use, or software that is not sold, distributed, or licensed to a third party. Option D is not true because the SSF is not limited to software that is developed by the entity in accordance with the Secure SLC Standard, which is one of the two standards that are part of the SSF and provides security requirements and assessment procedures for software vendors to integrate into their software development lifecycles. The SSF covers payment software that is developed by any entity, whether it is a software vendor, a merchant, a service provider, or a third party, as long as it meets the security requirements and validation procedures of the Secure Software Standard, which is the other standard that is part of the SSF and provides security requirements and assessment procedures for payment software products.  References :

Understanding the PCI Software Security Framework: New Educational Resources

PCI Software Security Framework Provides a Modern Approach to Payment Software Security

PCI DSS v3.2.1

[PCI PTS POI Security Requirements]

[Software Security Framework Secure Software Standard]

[Payment Application Data Security Standard]

[Software Security Framework Secure Software Life Cycle (Secure SLC) Standard]

[PCI DSS v4.0: Is the Customized Approach Right For Your Organization?]

According to the PCI PTS standard 2 , point-of-interaction devices used to protect account data are point-of-interaction devices (POI), which are devices that are used to authenticate, authorize, or verify cardholder data or transactions. This is one of the requirements for ensuring that POI devices are used in accordance with PCI DSS.