Which statement about secure software development is true?

• A. Industry standards are not necessary
• B. Security should be incorporated throughout the software development life cycle
• C. PCI DSS does not apply to software development
• D. Development can ignore security considerations

Answer: (B)

Security must be integrated across the entire software development lifecycle. In PCI DSS, developing and maintaining secure systems and applications means applying secure design, coding practices, testing, and ongoing vulnerability remediation at every stage—from planning and design through deployment and maintenance. This approach catches risks early, aligns with industry standards and PCI DSS expectations, and avoids the pitfalls of adding security as an afterthought. Statements that security isn’t necessary, can be ignored, or can be addressed only later contradict both best practice and PCI DSS requirements. Software development does fall under PCI DSS, and security must be considered throughout the process.