How should production data be treated in testing or development?

• A. Production data should not be used for testing; use non-production data or masked data
• B. Production data can be used without restrictions
• C. Production data must be used for testing
• D. Data replication is required

Answer: (A)

In testing and development, the focus is on protecting cardholder data by avoiding exposure of real production data. The best approach is to use non-production data or data that has been masked, so developers can test functionality and performance without handling actual PANs or other sensitive CHD. Masking, tokenization, or generating synthetic data preserves test usefulness while significantly reducing the risk of data leakage and helping meet PCI DSS protections for stored data. If production data were used without restrictions, it would create unnecessary exposure and potential noncompliance; using production data for testing is not the required practice. Data replication describes duplicating data for environments but does not address the essential need to protect sensitive information during testing.