For custom code updates, what must be done before deployment into production according to PCI DSS requirements?

• A. All updates are tested for compliance with PCI DSS Requirement 6.5 before production deployment
• B. Changes may go live without testing if code review occurred
• C. Only a subset of changes require testing
• D. Testing is only for performance, not security

Answer: (A)

Testing all custom code updates before they are deployed to production is what PCI DSS requires. This aligns with PCI DSS Requirement 6.5, which focuses on secure development practices for custom software and mandates that changes to production code be tested to verify they meet security requirements and do not introduce vulnerabilities. By ensuring every update undergoes security-focused testing, you confirm compliance with secure coding standards and prevent new weaknesses from entering production. Relying only on code reviews, testing only a subset of changes, or testing solely for performance would not meet this requirement, since security testing of all changes is necessary.